Microsoft changes encryption, another D-Link bug, phishing dangers, and more
Plus, Baltimore's disastrous ransomware infection and worse IT practices
Roundup Let's look at some of the latest security news you may have missed this week.
Baltimore ransomware outbreak made worse by bad storage practices
This year's ransomware infection at the City of Baltimore made headlines, in part because of the eye-popping $18.2m price tag its damage and recovery bills racked up. It turns out that the city's bad data collection policies are playing a big role in that.
The Baltimore Sun reports that one of the reasons the data loss from the infection was so severe was because many of the important files were being kept locally on the PCs of individual employees, rather than backed up to a central server.
This meant that, as the ransomware infection spread from PC to PC, that data was lost and could not be recovered from a backup server, as should be the case.
"One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it," said city auditor Josh Pasch.
Not surprisingly, Baltimore's City Council and auditors are less than happy to learn of this policy, and the city's IT department is planning to change it.
Online game Counterstrike- Global Offensive is the target of an RCE bug that could allow gamers to be compromised by a hostile server. CVE-2019-15943 is a memory corruption bug that arises when handling a malformed map file.
In practice, the attacker could set up a server then send connecting players the malformed file. A successful exploit could either crash the game or allow for remote code execution.
Microsoft tweeks encryption settings
The latest update to Windows 10 is bringing a change to the way Microsoft handles encryption.
From now on, Redmond says the default settling for Bitlocker with new hard drives will be software encryption, a more secure method of locking down drives. The setting can be changed, and the policy will not apply to existing drives.
Cloudflare drops week's worth of new features
Edge network provider Cloudflare is wrapping up its annual birthday week rollout of new features and products. The week saw one new feature released each day.
These include a mobile app called WARP, a new set of browser statistic reports for site owners, a security tool to trap and occupy online bots, and support for HTTP/3.
Cheeky AT&T redirects pentest pings to FBI
AT&T had a bit of explaining to do after researchers discovered that one of its pages contained code that would redirect the traffic generated by pentests to the FBI's website.
Fortunately, this was spotted before anyone got their door kicked down and was written off as a joke from someone in AT&T's IT department. The redirect has since been taken down.
D-Link storage boxes flagged for arbitrary code execution bug
The research team at CyStack Security in Vietnam has laid claim to the discover of a critical vulnerability in D-Link's network-attached storage boxes.
CVE-2019-16057 is remote command execution vulnerability in the DNS-320 model. The bug was patched on September 11 and was detailed by the team recently.
"While doing some research on network devices we found a command injection vulnerability at the login module of a D-Link DNS-320 device," CyStack says.
"The flaw exists at a hidden feature called SSL Login which its required parameter, port, can be poisoned."
The vulnerability has a CVSS score of 10/10, so you will definitely want to make sure your storage boxes are patched.
Phishing scam imitates Adobe
A Reg reader pointed us to this sysadmin's report of a particularly phishing flaw that appears to disguise its credential-harvesting fake login pages as legitimate Windows login sites.
Furthering the scheme, the phishing attack seemed to direct through a legitimate Adobe domain.
"I got an alert about a user click on a phishing email. Took a look at the alert and the URI originally looked legit - adobe.com, no problem. But something was still whiffy so I dug deeper," the admin explained.
"Tested the link - it redirected to a fake Office 365 login page hosted at Windows.net. Holy shit. I tested the URI string from Adobe, and sure enough you can put anything after "&p1=" and adobe will redirect you."
The admin noted the matter was reported to Microsoft and the scammer's account was deleted. ®
Sponsored: From CDO to CEO