Connect with us

Technology

Make-me-admin holes found in Windows, Linux kernel • The Register

Voice Of EU

Published

on

Move over, PrintNightmare. Microsoft has another privilege-escalation hole in Windows that can be potentially exploited by rogue users and malware to gain admin-level powers.

Meanwhile, a make-me-root hole was found in recent Linux kernels.

Recent builds of Windows 10, and the preview of Windows 11, have a misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.

As a result of this blunder, non-administrative users may read these databases, if a VSS shadow copy of the system drive is present, and potentially use their contents to gain elevated privileges. According to a US-CERT advisory, the issue appears to affect Windows 10 build 1809 and newer.

The advisory states that, if successfully exploited, this bug, dubbed by some as HiveNightmare, can be used to:

Or, shorter, “a local authenticated attacker may be able to achieve [local privilege escalation], masquerade as other users, or achieve other security-related impacts.” This can be used to thoroughly infect a system with malware, snoop on other users, and so on.

You may think you’re safe because your Windows PC doesn’t have a suitable VSS shadow copy, yet there are ways to end up quietly creating one and put your machine at risk.

According to the advisory: “Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”

US-CERT describes how to detect whether you have VSS shadow copies available, and it involves running vssadmin list shadows as a privileged user and seeing if any shadow copies are listed.

The VSS shadow copies are a key ingredient because the registry hive files are in use by Windows during normal operation, so can’t be accessed by a normal user even with the loose ACL. However, if shadow copies available, you’ll find you can open copies of the files for inspection thanks to the sloppy ACL.

Microsoft is aware of the flaw, which is assigned the ID CVE-2021-36934, and said:

Once word of the flaw got out earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweeted:

Referring to the VSS requirement for exploitation, Delpy told The Register: “The snapshot is not the real problem, it’s the ACL.” And you don’t need to crack the hashes; it may be possible to use Mimikatz, for instance, to elevate privileges using this extracted data.

Delpy shared a video demonstrating just that, crediting Jonas Lykkegaard for spotting the ACL blunder.

It’s not a clear-cut issue, as some people claim their Windows 10 installations are not vulnerable when the deployments should be. We await more info from Microsoft. In the meantime, see the above advisory for instructions on mitigating the vulnerability. ®

It’s not just Windows: a security hole has been discovered in Linux kernels since version 3.16 that can be exploited by rogue users and malware already on a system to gain root-level privileges. The vulnerability has been assigned the ID CVE-2021-33909.

Dubbed Sequoia by the Qualys team that found and responsibly reported the flaw, we’re told the bug is present in “default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.” Thus, check for updates and install them as soon as you can as patches should be available by now now or shortly for your distro.

Technical details of the file-system-code-level programming blunder are here. Qualys’ proof-of-concept exploit required 5GB of RAM and a million inodes to succeed.

Qualys also found another security weakness in Linux systems, CVE-2021-33910, a denial-of-service kernel panic via systemd. Patches are also available so grab those updates, too.



Source link

Technology

Netflix employees join wave of tech activism with walkout over Chappelle controversy | Netflix

Voice Of EU

Published

on

Employees at Netflix halted work on Wednesday and staged a protest outside the company’s Los Gatos, California, headquarters to condemn the streaming platform’s handling of complaints against Dave Chappelle’s new special.

The actions – which hundreds participated in – are the latest in a string of highly visible organizing efforts in the tech sector, as workers increasingly take their grievances about company policies and decisions public.

“Three years ago, a worker walkout at a major tech company would have been unthinkable,” said Veena Dubal, a labor law professor at the University of California, Hastings. “White-collar workers across the world now understand their labor power, and their ability to change the unethical practices of their employer by withholding their labor.”

On Monday, the transgender employee resources group behind the walkout released a list of specific demands of Netflix, including more funding for trans creators, recruiting more diverse employees and flagging anti-trans content on the platform.

Tensions at Netflix started in early October, when Netflix leaders doubled down on their support for the comedian Dave Chappelle following criticism from viewers, the queer media watchdog Glaad as well as some employees that Chappelle’s new show contained jokes that were anti-trans.

As internal criticism grew, Netflix leaders continued to defend the special. Reed Hastings, the co-chief executive, reportedly said on an internal message board: “I do believe that our commitment to artistic expression and pleasing our members is the right long-term choice for Netflix, and that we are on the right side, but only time will tell.”

Ted Sarandos, the other co-CEO, claimed in an email obtained by Variety: “While some employees disagree, we have a strong belief that content on screen doesn’t directly translate to real-world harm.” He added: “Adults can watch violence, assault and abuse – or enjoy shocking standup comedy – without it causing them to harm others.”

The Sarandos memo in particular fueled the walkout, according to the Hollywood Reporter. “The memo was very disrespectful,” a staffer told the outlet on the condition of anonymity. “It didn’t invite a robust conversation about this hard topic, and that’s normally how things go.”

Ted Sarandos, co-CEO of Netflix.
Ted Sarandos, co-CEO of Netflix. Photograph: Vickie Flores/EPA

Meanwhile, Netflix temporarily suspended Terra Field, a trans employee, who had tweeted that Chappelle “attacks the trans community, and the very validity of transness” and tied such comments to real-world violence. The company said Field was suspended because she had attended a meeting she was not invited to, but it later conceded she had “no ill intent”.

Netflix fired another trans worker who had been involved in organizing the walkout on allegations of leaking internal documents to the press.

“We understand this employee may have been motivated by disappointment and hurt with Netflix, but maintaining a culture of trust and transparency is core to our company,” a Netflix spokesperson told the Guardian about that decision last week.

The employee on Tuesday identified themself as B Pagels-Minor in an interview with the New York Times and denied “leaking sensitive information to the press”.

Social media event pages for the walkout have advertised a rally outside the Netflix headquarters in Los Angeles featuring public figures and speakers.

Staffers participating in the virtual walkout have vowed to halt work and focus on efforts to support the trans community.

‘A wave of worker walkouts’

In this week alone, there are protests at Netflix, the grocery delivery platform Instacart and at Facebook by its content moderators. Uber drivers globally went on strike in 2019. Hundreds of Amazon workers walked out to protest against the company’s climate policies in 2019.

Walkouts have become an increasingly common tactic among tech employees. “We are seeing a wave of them,” said Jess Kutch, executive director of the Solidarity Fund, which raises money to support employees engaged in workplace organizing – including at Netflix.

Google employees were among the first to deploy the strategy on a large scale in 2018, when more than 20,000 workers around the world walked out over the news that the company had given a $90m severance package to an executive who was forced to step down over sexual misconduct allegations (which he has denied).

The incensed workers decried a culture of silence about sexual harassment and systemic racism and demanded Google make concrete changes to address such issues within the company. In particular, they targeted Google’s use of forced arbitration – a practice common in the tech industry in which workers settle legal disputes in a private forum, making it almost impossible for workers to sue their bosses in court and keep repeat offenders from being publicly recognized.

Google employees stage a walkout in Mountain View, California, in 2018.
Google employees stage a walkout in Mountain View, California, in 2018. Photograph: Stephen Lam/Reuters

The November 2018 action changed the way workers in the tech industry organize, experts said. “Workers are observing their peers to see what is effective in moving decision makers, and replicating that in their own companies,” Kutch said.

Kutch noted tech employees studied other protest movements to determine the most effective forms of action, learning, for example, to release specific demands tied to their walkouts. “There is a degree of depth, commitment and planning that was not present even just a few years ago,” she said.

Organizers have particularly taken aim at the tools tech companies had long used to keep dissent internal. Faced with employee pressure, companies such as Google, Airbnb, Facebook and eBay were compelled to end forced arbitration practices.

Employees have also fought companies’ use of non-disclosure agreements, or NDAs, which were initially meant to protect trade secrets, but later allowed companies to keep accusations of wrongdoing from becoming public.

Last month, California passed a law that makes it illegal for firms to prevent employees from speaking out about such issues through the use of NDAs.

Organizing gained another boost when the Black Lives Matter movement and protests laid bare some of the huge inequities in tech and revealed the power of protest to change them.

“Workers woke up at that moment to the fact that if employers are able to discriminate against any one part of the workforce, it hurts everyone,” said Anastasia Christman, senior policy analyst at the National Employment Law Project.

“There have been isolated examples of this kind of thing for years, but employees are increasingly using the leverage of their labor to stand up for diversity and equity,” she added.

The price of whistleblowing

For some employees, the price of speaking out has been steep. Leaked memos showed that in early 2020, Amazon discussed smearing a warehouse worker who spoke out against the company’s Covid-19 practices and was later fired. (Amazon said the employee was fired for putting other employees at risk of Covid-19.) In September 2021, Amazon reached a settlement with two other employees who said they had been fired over their climate activism within the company.

Other whistleblowers have narrated how their lives were upended by speaking out against major tech companies. The worker behind the walkouts at Google, Claire Stapleton, left the company after 12 years of working there, due to perceived retaliation for her role in organizing.

Netflix told the Guardian in an email that it “respect[s] the decision of any employee who chooses to walk out” and recognizes “we have much more work to do both within Netflix and in our content”.

“We value our trans colleagues and allies, and understand the deep hurt that’s been caused,” the spokesperson said.

In a public blogpost, Field outlined much of the vitriol she has sustained for speaking out about the special. She said she did not necessarily want the show removed from the platform, but wanted accountability from Netflix to its workers and viewers.

“We’ve spent years building out the company’s policies and benefits so that it would be a great place for trans people to work,” she wrote. “A place can’t be a great place to work if someone has to betray their community to do so.”

Netflix CEO Sarandos told the Hollywood Reporter on Tuesday that he handled the situation poorly, but that he remains supportive of Chappelle’s work. He said that his previous memos “lacked humanity”, and did not acknowledge that “a group of our employees were in pain”, but said that his stance “hadn’t changed”.

Source link

Continue Reading

Technology

Raspberry Pi 4 in price rise first, chip shortage blamed • The Register

Voice Of EU

Published

on

The price of a 2GB Raspberry Pi 4 single-board computer is going up $10, and its supply is expected to be capped at seven million devices this year due to the ongoing global chip shortage.

Demand for components is outstripping manufacturing capacity at the moment; pre-pandemic, assembly lines were being red-lined as cloud giants and others snapped up parts fresh out of the fabs, and the COVID-19 coronavirus outbreak really threw a spanner in the works, so to speak, exacerbating the situation.

Everything from cars to smartphones have felt the effects of supply constraints, and Raspberry Pis, too, it appears. Stock is especially tight for the Raspberry Pi Zero and the 2GB Raspberry Pi 4 models, we’re told. As the semiconductor crunch shows no signs of letting up, the Raspberry Pi project is going to bump up the price for one particular model.

The 2GB Raspberry Pi 4 will now once again set you back $45, an increase of $10 from its previous retail price. It used to be $45, then was brought down to $35 early last year when the 1GB model was discontinued. Now it’s back up again. This is the first time the project has hiked its prices, the trading arm of the Raspberry Pi Foundation said.

Don’t worry, however, the bump is said to be temporary and the module will eventually return to its original price of $35, company CEO Eben Upton announced on Wednesday.

The 4GB Raspberry Pi 4 and 8GB Raspberry Pi 4 versions will remain at $55 and $75, respectively. For those relying on a supply of $35 2GB boards, the project will bring back those 1GB Raspberry Pi 4 modules, priced $35.

“This provides a degree of choice: less memory at the same price; or the same memory at a higher price,” said Upton. 2GB for $45 or 1GB for $35. A choice, but not one people might expect.

“As many of you know,” he continued, “global supply chains are in a state of flux as we (hopefully) emerge from the shadow of the COVID-19 pandemic. In our own industry, semiconductors are in high demand, and in short supply: the upsurge of demand for electronic products for home working and entertainment during the pandemic has descended into panic buying, as companies try to secure the components that they need to build their products … At Raspberry Pi, we are not immune to this.”

The project is expected to make around seven million of its computer boards total this year, maintaining the same level of production as last year as the pandemic took hold of the world. This is unlikely to increase much next year either, Upton said. Judging from his explanation, this figure is lower than hoped: “Despite significantly increased demand, we’ll only end up making around seven million units in 2021.”

Pis containing 40nm chips will feel the chip crunch the hardest over the next year, meaning there will be limited supplies of devices older than the current generation of Raspberry Pi 4, Raspberry Pi 400, or Compute Module 4.

“In allocating our limited stocks of 40nm silicon, we will prioritise Compute Module 3, Compute Module 3+, and Raspberry Pi 3B, and deprioritise Raspberry Pi 3B+ … Our guidance to industrial and embedded users of Raspberry Pi 3B+ who wish to optimise availability in 2022 is to begin migrating your designs to the 1GB variant of Raspberry Pi 4,” Upton said.

The biz expects to be able to make enough systems using 28nm silicon – namely the Raspberry Pi 4 and Compute Module 4 – over the next 12 months to hold their price… bar the aforementioned 2GB model.

“These changes in pricing are not here to stay. As global supply chain issues moderate, we’ll keep revisiting this issue, and we want to get pricing back to where it was as fast as we can,” Upton concluded. ®

Source link

Continue Reading

Technology

Irish fintech Swoop secures £2.5m from major UK bank firm’s bailout fund

Voice Of EU

Published

on

UK headquartered Swoop was one of three finance companies to have received funding from RBS, which has previously given the start-up £5m in 2019.

Irish start-up Swoop Finance has received £2.5m from a fund established by banking giant RBS.

In 2019, it was awarded £5m by the banking firm, which accepted a £45bn bailout from the UK government at the height of the financial crisis in 2018. The bailout programme came with the condition that RBS would set up a £775m fund to boost competition in the region’s finance sector.

Swoop is one of three companies to have benefitted from that fund, with the others being UK finance companies Codat and Cashplus. The three start-ups will receive a combined £12.5m in grants from RBS.

Codat and Cashplus will both receive £5m from the fund.

Swoop was founded in 2017 by former KPMG chartered accountant and corporate financier Andrea Reynolds along with Ciarán Burke. Reynolds spoke at Silicon Republic’s Future Human event last year about the process of launching Swoop. She said she founded it after she spotted a gap in the market for a virtual “finance buddy” aimed at SMEs seeking financial advisers and lenders.

Today, Swoop is headquartered in the UK and it employs around 60 people. It recently launched in Canada, adding to its existing locations in Dublin, London and Sydney.

The fintech’s backers include Enterprise Ireland and Velocity. It has raised around €1.6m so far. Speaking last year, Reynolds said the pandemic’s digitisation of the finance industry – and most other industries – had benefitted the company.

She added that the ongoing changes in the industry would hopefully “democratise finance” and “open up opportunities” to companies seeking funding no matter where they are located.

“The future is that you won’t need to know who the lender is,” Reynolds said.

“All decisions will be made through your data and you’ll get those decisions instantly. So you could have a lender in Barcelona lending to a business in Ballyjamesduff, for example. It won’t matter where you are. It’s what your profile is and does it match to their algorithm.

“This means it’ll open up opportunities. It’ll democratise finance further because businesses, regardless of where they’re located, will not be disadvantaged. Everybody will have this at their fingertips,” she added.

Reynolds said she had seen “a 30pc increase in businesses moving online” during the Covid-19 pandemic.

Swoop also recently announced its partnership with UK automated cashflow and credit management company Itsettled.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!