Microsoft Office Macro Policy Reversal: A Legacy Of Incompetent Security Management

July 11, 2022 by Marc Handelman in Microsoft Cruft, Security Incompetence

Over the weekend, Ars Technica's Dan Goodin reported on the reversal of the current Microsoft Corporation (NASDAQ: MSFT) Office untrusted macro run policy. Apparently, the company will no longer block untrusted macro execution within Microsoft Office documents (via the utilization of various means - read Defender, et cetera).

During a brief conversation yesterday, a fellow security professional with knowledge of the matter speculated to me: "Maybe they are going into the ransomware business"...

Clear evidence of the astonishing pervasive incompetence (aka The Microsoft Way) in all of it's unabashed glory, now, firmly ensconced at the corporate behemoth's sprawling Redmond, Washington based digs.

Update 2022/07/11 12:43 - Meanwhile, Richi Jennings regales us with a superb piece at Security Boulevard in which, the dissection of this latest debacle commences (plus other acerbic wit and wisdom from commenters)...

via the respected information security capabilities of Robert M. Lee & the superlative illustration talents of Jeff Haas at Little Bobby Comics — **via** the respected information security capabilities of **Robert M. Lee** & the superlative illustration talents of **Jeff Haas** at **Little Bobby Comics**

Robert M. Lee's & Jeff Haas' Little Bobby Comics - 'WEEK 326' →

April 25, 2021 by Marc Handelman in Little Bobby Comics, Robert M. Lee, Jeff Haas, Security Humor, Satire, Sarcasm, ICS/SCADA Security, Security Incompetence, Security Leadership Fail

Oops! Oracle Corporation's BlueKai Exposes Billions Of Records On Interwebs

June 19, 2020 by Marc Handelman in Information Insecurity, Security Incompetence, Blatant Stupidity

via Zack Whittaker, writing at TechCrunch (and, via an appreciated H/T), comes a report of the most egregiously enormous data leak this year: This time, it's Oracle Corporations' (NYSE: ORCL) BlueKai's (BlueKai's claim-to-fame is the enormous damage it's dataloss can cause due to the sheer size of the data it stores on many, if not all US, UK, AUS, NZ and Canadian (and other nationalities) persons that traverse our beloved interwebs) turn to take a bow. Don't fret, I'm relatively certain there will be bigger screw-ups before the proverbial ball drops in Times Square - as there is still plenty of time to grab the Security Incompetence Award for 2020).

"BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money." - via Zack Whittaker, writing at TechCrunch

The Continuing ZOOM Security Fails: A Litany Of Security Incompetence →

April 02, 2020 by Marc Handelman in Security Incompetence

via Wang Wei, writing at The Hacker News, comes the latest reports of blatant anti-customer security outragse perpetrated by Zoom. Read it and Weep... But, after you wipe away the tears, remember there are other alternatives. Our suggestion is to immediately stop using Zoom products, and move to other more verifiably secure solutions (Apple Facetime and Microsoft Skype are certainly viable and stable platforms). And, while yoou are at it... Read Brian Krebs take on another security fail at Zoom, where Zoom security flaws are the gift that keeps on giving!

"Confirmed by researcher Matthew Hickey and demonstrated by Mohamed Baset, the first attack scenario involves the SMBRelay technique that exploits the fact that Windows automatically exposes a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it."

The ~100,000...

February 24, 2020 by Marc Handelman in Security Incompetence

via Dan Goodin writing at Ars Technica comes the sorry tale of the hundred thousand. Yes, approximatley 100,000 (give or take a couple thousand possible targets...) WordPress sites have succumbed to a vulnerability hiding resolutely in the so-called ThemeGrill Demo Importer add-in. Suffice to say, the litany of failure-to-secure in the WordPress world is a long and infamous tale.

Proof The End Is Near: Critical Crypto Vulnerability In Microsoft Products...

January 15, 2020 by Marc Handelman in The End Is Near, Security Incompetence

So, what else is new? Isn't it time to move on to non-Microsoft Corporation (Nasdaq: MSFT) Operating Systems that well may be light-years ahead of the Redmond, WA software leviathan deeply flawed bits?

IPVM Reports: Wyze CEO Blames Employee For Data Loss, Not Company's Security Posture...

December 31, 2019 by Marc Handelman in Information Insecurity, Security Must Read, Security Incompetence

John Honovich - writing at IPVM, categorically exclaims "Stop Blaming Your Employee, Wyze'. Thus rounds out what we like to call the Year of the Data Exfil, and todays' must read on the Wyze Data Exposure of 2.4 million user datapoints. Examine, if you will, this from the discoverers of the exposure: TwelveSec Security. While you're at it, take a gander at this from ArsTechnica's Kate Cox.

Novus annus est!

Ring, Casted and Nulled

December 17, 2019 by Marc Handelman in Security Incompetence, Death of Privacy

Flawed security provisioning coupled with incompetent security management leads to Amazon’s Ring camera hacks, and the subsequent fear and loathing represented by those intrusions. Or, an Invasion of Privacy, by any other name.

US DOE OIG Report: Thousands of Severe Security Flaws Discovered

November 27, 2019 by Marc Handelman in US DOE, Cybersecurity Cruft, Cruft, Security Incompetence, US DOE OIG

via the DOE's Office of Inspector General, comes critically important news in a highly troubling US DOE OIG Report, for the DOE, energy consumers in the United States and interconnected energy firms servicing the energy requirements of neighboring countries (Canada and Estados Unidos Mexicanos) in North America.

"Throughout fiscal year 2019, management made 54 recommendations to programs and sites related to improving the Department’s cybersecurity program. Furthermore, in some instances, management provided opportunities for improvement at locations reviewed but did not issue formal recommendations" - via the DOE's Office of Inspector General scathing report

Kakistocracy* Via Phone And Twitter

November 19, 2019 by Marc Handelman in Security Incompetence, Kakistocracy

via Sean Gallagher, writing at Ars Technica, comes superlative reporting of telephone communications security failures in the 'highest-office-in-the-land, this time at a restaurant in Kyiv, Ukraine in conversation with the highest-office-holder-in-the-land and an incompetent Ambassador... Today's Must Read.

*Definition of Kakistocracy

Expedition Into Vulnerability

November 04, 2019 by Marc Handelman in Information Insecurity, Security Incompetence

via Dan Goodin - Security Editor at Ars Technica - comes this extraordinary piece detailing security incompetence (with both information and physical security components). Plus, a healthy dollop - if you will - of simple, homegrown stupidity in the car rental space.

'"All it took was me downloading the app and entering the VIN, then confirming connectivity through the infotainment system," Sinclair said late last week. "There MIGHT be a way to disassociate my phone from the car itself, but that hasn't happened yet, and it's crazy to put the onus on renters to have to do that. I have had no problems at all and have even unlocked the doors and started the engine when I could see that the vehicle was in the Missoula airport rental car parking lot."' - via Dan Goodin writing at Ars Technica

NORD'd

October 30, 2019 by Marc Handelman in Security Incompetence, Must Read

via Shaun Nichols - writing at El Reg - comes this highly entertaining piece, detailing the 'steps' NordVPN is planning on taking to beef-up the company's deeply flawed security stance... Today's Must Read.

'"We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are," NordVPN head flack Laura Tyrell said of the campaign. "And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level."' - via Shaun Nichols - writing at El Reg

Image via State of Wyoming Game and Fish

Plundered, They Were

October 28, 2019 by Marc Handelman in Security Incompetence

via Shaun Nichols, writing at El Reg, comes this superb tell all - detailing Adobe Inc.'s (NASDAQ: ADBE) typically par-for-the-course security incompetence (anyone recollect Adobe Shockwave and Adobe Flash?): A tectonic-level data-leakage event with the resultant unleashing of 7,500,000 user records loose on our beloved interwebs.

"The exposed records include email addresses, account creation dates, details of products purchased, Creative Cloud subscription statuses, member IDs, countries of origin, subscription payment statuses, whether the user is an Adobe employee, and other bits of metadata." - via Shaun Nichols, scrivening at El Reg

NordVPN Keys Stolen 19 Months Ago

October 24, 2019 by Marc Handelman in Security Incompetence

Meanwhile, in astonishing security news targeting the latest VPN outrage.

I would suggest not relying on the 'security' of the VPN infrastructure 'managed' by NordVPN, but then - that should be a given.

"It was unclear how long the attackers remained present on the server or if they were able to use their highly privileged access to commit other serious offenses. Security experts said the severity of the server compromise—coupled with the theft of the keys and the lack of details from NordVPN—raised serious concerns." - via Dan Goodin writing at Ars Technica

The New Malware Target: MSPs, Domino Effect Ad Infinitum

October 21, 2019 by Marc Handelman in Security Incompetence, Information Security, Managed Service Providers

via Renee Dudley, writing for ProPublica comes extraordinarily bad news for those of you laboring under the mistaken belief that Managed Service Providers (and their ilk) can be trusted.

Comodo Takes Security Seriously... Wait, What?

October 04, 2019 by Marc Handelman in Security Incompetence, Security Heal Thyself, Security Failure, Information Insecurity

via Zach Whittaker, writing at Techcrunch, comes this interesting piece, describing a 'cybersecurity' company's (in this case - Comodo) abject faliure to protect it's own web presence (from a recently reported - and fixed-by-the-vendor flaw). A nearly perfect example of as to why security companies are generally distrusted (at least around here...).

Oh, and the ostensible cause? The highly reported on VBulletin Flaw (now fixed). However, the true cause was (and I assert still must be) gross incompetence displayed by Comodo, and of which, is certainly not the first time this company has appeared swimming in the murky sea of questionable practices, and behaviors indicative of criminality.

ASUS Cloud Services: Backdoor In Motion

May 20, 2019 by Marc Handelman in Cloud Security, Information Insecurity, Security Incompetence, Must Read

via the eponymous Dan Goodin, writing at Ars Technica, comes news of a cloud solution gone spuriously out-of-control. Certainly a clear-enough indication the 'Cloud' is not to be trusted, at any time, nor from any vendor - regardless of claims to the contrary. Today's Must Read.

Put A Couple Of Zeroes On It...

April 29, 2019 by Marc Handelman in Must Read, Information Security, Security Incompetence, Criminal Enterprise, Organized Crime, Cybernetic Crime

Quite likely the defining opinion piece, well-crafted by the inimitable Kara Swisher, writing at The New York Times, targeting the the entity known as Facebook, Inc. (NASDAQ: FB) (of which, in our opinion, is a classically structured and well organized criminal enterprise). Today's Must Read.

"With $23 billion in cash on hand, Facebook will see a $5 billion fine as simply the cost of doing business. Needless to say, this is not how fines are supposed to work." - via Kara Swisher's superb opinion piece at The New York Times

UN Aviation Agency Attempted Coverup, Minimization Of 2016 Cyberattack

March 04, 2019 by Marc Handelman in Corruption, Security Governance, Security Incompetence

Another reason to not put significant trust in the United Nations.

"In an email to the ICAO, the Lockheed Martin cyberintelligence analyst described the attack as "a significant threat to the aviation industry." It had the characteristics of a "watering hole attack" that targets visitors to a website. The UN agency, working with 192 member states and industry groups, is responsible for setting international civil aviation standards, including for safety and security." - via PhysOrg

Just A Crystal Based AM Radio, Not Really A Mobile Phone, I Just Happen To Appreciate The Photo.

Newly Discovered Security SNAFU 3G, 4G, 5G Networks Impacted: Here We Go!

February 05, 2019 by Marc Handelman in Security Incompetence, Radio Telephony

Catalin Cimpanu reporting at Zero Day, provides us with the Litany of Telephony Flaws: 2019 Edition (also known as just another day in Security Dreamland)... In which, the claim is proffered: 'fixes should be deployed by the end of 2019'; whilst I pontificate - definitavely - 'Dream On' Me Bucko! In an effort to be clear, this is not a condemnation of either the messenger or researchers, et al., but rather, when examining security prohylaxis or full remediation at the carrier level of this tripartite game, the carriers are rather recalcitrant conglomeration, don't you know...

H/T