Roundup It was another week of furious firefighting in the security space, including the curious tale of a Forbes "most promising" entrepreneur indicted over alleged phishing attacks, new privacy laws in the US, software flaws and more.
VMware Tools patched for Mac bugs
Those running VMWare guest machines on Mac will want to update their software to get a security fix for VMware Tools (the software that links the guest and host machine).
A patch was released for a denial-of-service flaw (CVE-2020-3972) in Tools for Mac that would potentially allow an attacker's code from the guest machine to crash their VM. Not a particularly bad security risk, but an annoying bug, for sure.
Mind you, this bug only appears when both the host and guest machines are running MacOS, so if you stick with Linux or Windows VMs, you won't be encountering this flaw.
Office for Mac plays catch-up with security fixes (and a bonus Windows patch)
Earlier this month, Microsoft dropped its usual boatload of Patch Tuesday updates, sans a set for Office for Mac. A week on and Mac users were getting their patches for four CVE entries.
The most serious will be CVE-2020-1225, CVE-2020-1226, and CVE-2020-1321, which allow for remote code execution via a poisoned Excel file. While Microsoft didn't consider these to be "critical" risks as the user has to open the file on their own, anyone who regularly sends and receives Office docs knows how easy it can be to open up a file without properly checking its source.
The fourth bug, CVE-2020-1229, allows for security feature bypass.
Those running Office for Windows should have the updates along with the other Patch Tuesday fixes, but if you haven't got to that yet, now would be a great time.
There was also one fix from Microsoft for Windows Spatial Data Services, a set of REST APIs for working with, of course, spatial data. The elevation of privilege error (CVE-2020-1441) requires an attacker's application to be already running on the machine, and if that is taking place, it's already pretty much game over.
'Anonymous' hackers take credit for Atlanta police website takedowns
A group claiming to be part of the Anonymous movement said it was responsible for a website outage at the Atlanta, GA Police.
Local news says that the June 14 outage had the police website offline from 8:30-11:30 AM.
The AnonOpUSA Twitter account laid claim to the outage, saying it was an attack in retaliation for the death of Atlanta man Rayshard Brooks at the hands of police. These Anonymous attacks, by design, can be difficult to verify so it's hard to say for sure who was behind the takedown or if/when they plan to strike again.
Microsoft adds rootkit scanning to Windows Defender
Good news from Redmond – Microsoft said it can scan UEFI firmware with Windows Defender Advanced Threat Protection. This means that users who run the Microsoft security suite for their antimalware needs have a way to scrub their machines for hard-to-remove rootkit infections.
This takes some doing, even for Microsoft, as chipset makers try to keep the firmware as insulated from the rest of the operating system as possible to prevent attacks and exploits.
"It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP," Microsoft boasted.
Influential senator pushes for new privacy law
Sherrod Brown (D-OH), a ranking member of the powerful US Senate Committee on Banking, Housing, and Urban Affairs, said he wants the government to pass a strict new set of privacy laws.
Brown put forward a draft of what he brands the Data Accountability and Transparency Act of 2020.
The bill would call for, among other things, an outright ban on facial-recognition technology and the creation of a new Federal agency dedicated to protecting personal privacy.
The draft bill is certainly ambitious, and Brown has no shortage of sway on Capitol Hill, but we're guessing provisions like the facial recognition ban for the requirement of audit reports for anything deemed "decision-making algorithms" will be non-starters with many in the Senate, so don't expect this one to go into law any time soon.
Man admits to running $11m phishing fraud scam
A man from Nigeria once dubbed a rising star in the African business community admitted to operating a set of business email compromise scams that netted him and others at least $11m.
The US Department of Justice says that 32-year-old Obinwanne Okeke had a part in a number of phishing attacks and fraudulent wire transactions against a number of companies including construction gear giant Caterpillar. He pleaded guilty to one count of wire fraud.
Okeke, who was once featured in the Forbes Africa 30 most promising entrepreneurs under 30 list, was ostensibly an entrepreneur CEO of the Invictus Group of companies, but according to prosecutors was actually getting money through business email compromise schemes.
He faces up to 20 years in prison when he is slated to be sentenced in October by a Virginia Federal Court.
US government unveils pilot DNS security program for contractors
The NSA says it is in the process of running a pilot program to offer DNS security services for government contractors.
The idea, according to NSA head of cybersecurity Anne Neuberger (via NextGov), is to get better DNS security into the hands of small and mid-size contractors who don't have the money for their own dedicated security operations but because of the government work they do are at risk of attacks. Neuberger noted that the project is still in its early phases (the NSA hasn't even identified a service provider) but the hope is that it could reduce malware infections at government contractors by more than 90 per cent.
Tech giants graded poorly for China policy
A House Republican said that, surprise surprise, social media providers aren't doing enough to stop Chinese propaganda.
Rep. Michael McCaul (R-TX) of the House Foreign Affairs Committee issued a series of scorecards taking Twitter (graded D-), Facebook (C+), and YouTube (C-) to task for, in his opinion, failing to crack down on pro-Communist Party material coming out of China.
Criteria include not only taking down propaganda, but also preventing officials from getting verified accounts and fact-checking posts.
"The solution is simple – deplatform CCP officials and propagandists who consistently spread lies," said McCaul, the lead Republican on the Committee.
"Sadly, while we had some positive conversations and some steps have been taken, these companies have chosen to allow CCP officials to continue to operate on their sites instead of doing what's right."
Oracle subsidiary sees data cache exposed
An Oracle-owned marketing company is being cited as the source for a potentially massive exposure of data collected via web tracking.
The collection of billions of records has been attributed to unnamed companies running tools from BlueKai, whose service lets marketers track user activity to target their web ads. Apparently this was yet another case of a database not being properly secured by a customer, only to be stumbled upon later by researchers.
Oracle claims the data has since been locked down (and may have been scrubbed for personally identifying info even when it was exposed), though the fact remains that tracking records were left sitting out on the open internet for some time, and it can't be said for sure who might have accessed it.