Free Republic

Ron DeSantis, the rightwing Republican governor of Florida and a likely 2024 presidential candidate, has handed favors to his big-money donors in the insurance industry at the expense of cash-strapped residents of his state, a new report claims. The report, “How Ron DeSantis sold out Florida homeowners”, draws on contributions from the American Federation of Teachers union, the non-profit Center for Popular Democracy, the voting rights group Florida Rising and the dark money watchdog Hedge Clippers. [cut] the report’s authors suggest, that DeSantis’s administration has put the insurance companies’ interests ahead of Florida’s own citizens, who are battling homeowner insurance...

Yes, you read that headline correctly. Janet Jackson's music video for her 1989 hit single Rhythm Nation has been declared a security vulnerability after a Microsoft engineer discovered it could freeze some hard drives on older computers. Raymond Chen, the Microsoft engineer, said that a colleague shared a story from Windows XP product support that described a "major computer manufacturer" who discovered the music video would crash certain models of laptops. During the manufacturer's investigation, it was discovered that the audio signal from the music video crashed some of their competitors' computers. But there was more to it than that....

[Dayglored Note: This is primarily for Windows Administrators, but is of potential concern to ALL Windows users.] Also see:Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controllerPrintNightmare: Windows Zero-Day Accidentally Disclosed by Chinese ResearchersPublic Windows PrintNightmare 0-day exploit allows domain takeoverPrintNightmare, Critical Windows Print Spooler Vulnerability Original release date: June 30, 2021 The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not...

“The supreme art of war is to subdue the enemy without fighting.” This morning – You could not make this up; an unimaginably complex WW3 Techno-thriller unfolding as markets stumble and global supply chains hover on the edge of anarchy. On the other hand, maybe that’s just the way it was planned. I am not one for conspiracy theories. But… this morning… If I was a writer of trashy global-techno-World War 3 pulp fiction, and proposed the following scenario where the global economy lurches into an unprecedented period of instability – nobody would believe me: 1) Global Supply Chains, weakened...

The White House is closely tracking an emergency patch Microsoft Corp has released, U.S. national security adviser Jake Sullivan said on Thursday, after an unknown hacking group recently broke into organizations using a flaw in the company’s mail server software.

I've been in the technology industry for over twenty years and I've seen fads come and go. When I got started in 2000 I oversaw the migration of data from old tape drives to modern 1GB hard drives. Then at my job I oversaw the end of the mainframe and the ascendancy of the PC and server as the new form of decentralized network infrastructure. From 2001 through to around 2010 the internet and internet access were present in the government agency I work for but most people were prohibited from using it. And if they did their access was...

Law enforcement agencies across the country reported brief outages of their 911 systems Monday night, and it was not immediately clear if there was a connection with a major Microsoft system outage. Law enforcement agencies around the country, from Nevada to Pennsylvania and Arizona to Minnesota, tweeted that their 911 systems were down beginning sometime after 7 p.m. ET. Multiple reports indicated outages throughout Delaware and Ohio as well. By 8:15 p.m., many of those departments reported that their services had come back online. Others were still recommending that people call local department numbers instead of the emergency line. The...

Thunderbolt vulnerabilities can let attacker with physical access steal data from memory and encrypted drives. A Dutch researcher has detailed nine attack scenarios that work against all computers with Thunderbolt shipped since 2011 and which allow an attacker with physical access to quickly steal data from encrypted drives and memory. Researcher Björn Ruytenberg detailed the so-called Thunderspy attacks in a report published on Sunday, warning that the attacks work even when users follow security best practice, such as locking an unattended computer, setting up Secure Boot, using strong BIOS and operating system account passwords, and enabling full disk encryption. Microsoft...

When discussing online privacy and VPNs, the topic of WebRTC leaks and vulnerabilities often comes up.While the WebRTC issue is often discussed with VPN services, this is in fact a vulnerability with web browsers – Firefox, Opera, Chrome, and Brave.So what is WebRTC?WebRTC stands for “Web Real-Time Communication”. This basically allows for voice, video chat, and P2P sharing within the browser (real-time communication) without adding extra browser extensions – further described on Wikipedia here.While this feature may be useful for some users, it poses a threat to anyone using a VPN and seeking to maintain online anonymity.WebRTC Vulnerability The fundamental vulnerability...

Draft document explains where Redmond thinks its responsibility ends Microsoft’s published a draft “Security Servicing Commitments for Windows” in which it explains the bugs it will and won’t fix.The document (PDF) was revealed on June 12th and is intended for security researchers, to offer “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.”“We are primarily interested in feedback around our servicing policies and whether our criteria makes sense to you, the researcher,” says Microsoft’s announcement of the draft.Microsoft explains that it asks two questions when it learns of...

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs.The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of...

Note from dayglored: This article is about a flaw in the *IX systems -- Linux, FreeBSD, NetBSD, OpenBSD, Solaris. It does NOT apply to Windows, nor as far as I can tell, to OS X (even though OS X is based on FreeBSD). What is the Stack Clash? The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code.Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept...

The flaws affect devices containing Qualcomm chips Serious security flaws that could give attackers complete access to a phone's data have been found in software used on tens of millions of Android devices. The bugs were uncovered by Checkpoint researchers looking at software running on chipsets made by US firm Qualcomm. Qualcomm processors are found in about 900 million Android phones, the company said. However, there is no evidence of the vulnerabilities currently being used in attacks by cyberthieves. "I'm pretty sure you will see these vulnerabilities being used in the next three to four months," said Michael Shaulov, head...

A zero-day exploit affecting Mac OS X allows attackers to execute arbitrary code on any binary. That’s not good, and it gets worse. The exploit bypasses System Identity Protection (SIP, sometimes called rootless), and is almost impossible to trace once implemented. Apple has been notified and a patch is on the way.“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” wrote SentinelOne in a blog post announcing the discovery. A talk given by Pedro Vilaça at SyScan360, a security conference in downtown Singapore this week, outlined...

As described in this paper "DROWN: Breaking TLS using SSLv2" (PDF), it is possible to crack current TLS encryption using an old, obsolete, but nevertheless still deployed protocol, SSLv2. This is a server-side issue -- it is not something clients (normal users) can do anything about. Folks browsing the web have to rely on the system admins at their favorite websites, mail portals, banks, shops, etc. to fix this. It is estimated that a third of the public servers on the Internet are vulnerable to this attack. You can test the servers in a given domain using this tool from...

A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, was unveiled recently. The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev in the current stable builds of the FFmpeg software, and it would appear that it allows anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. The vulnerability is limited to reading local...

In a study conducted by CVE Details, the most vulnerable software of the previous year has been identified as Apple’s OS X and the tech-giant is also the company with most bugs. With 2016 coming, people in all sectors have been busy summarizing 2015 with reports and lists of who have been the winners and who have been the losers. The tech experts and security personnel have been at it too, with CVE Details producing a list of most vulnerable software of the past year. Many would have expected the list to be topped by Adobe Flash, for the software...

Security researcher @dfirblog has discovered what he calls a devastating flaw in Windows' Kerberos authentication system. The flaw cannot be fixed and the only solution is to introduce and use Microsoft's Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post. The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for...

Yet another bad new Zero-Day (already exploited) Adobe Flash vulnerability. Time to uninstall Flash from all your computers and keep it off for good! To remove Flash from Windows: Close your browser In Control Panel -> Programs and Features, remove/uninstall all Adobe Flash or Shockwave items. Restart your browser Go to Add-ons/Plugins and confirm there are no Shockwave or Flash plugins. To remove Flash from OS X (10.6 and later): Download and run this Flash uninstaller: http://fpdownload.macromedia.com/get/flashplayer/current/support/uninstall_flash_player_osx.dmg To remove Flash from Linux: Close your browser Use "apt-get remove", "yum erase", or find the flashplayer .so (e.g. in /usr/lib[64]/mozilla/plugins or ~/.mozilla/plugins)...

Microsoft has, in the past couple of minutes, released a security update for all supported versions of Windows to fix a critical remote-code execution vulnerability. Details of the vulnerability were found and reported to Microsoft by security researchers poring over internal memos leaked online from spyware-maker Hacking Team. This follows an elevation-of-privilege hole in Windows, and a remote-code execution vuln in Internet Explorer 11, that were also uncovered from the Hacking Team files, and patched last week by Microsoft. This latest security flaw (MS15-078) lies within the Windows Adobe Type Manager Library, and can be exploited by attackers to hijack...