Microsoft Bug Bounty Program: How Does 30K Sound to You?

4GHadmin | 27 August 2019
Reading Time: 3 minutes

Most people have claimed a reward of some type at some point in their lives. Return someone’s smartphone to them, for example, and they’ll probably think your honesty in returning it is worth $50 at least. Or maybe you return someone’s precious pet to them and get a whole lot more than that for your effort or, more likely, good fortune in having it cross your path or end up in your backyard. But what if there was up 30K in reward money to be had?

Well, up to that amount is what software development mega-giant Microsoft is offering anyone who can find flaws in their newest Chromium-based Edge browser. Now the likelihood of most people – myself included – even having the ability to do that is pretty slim, but for those who are web development savvy it’s definitely something worth taking note of.

Now to be sure, just as it would be for any Canadian web hosting provider we’ve got some talented people on staff who do have the wherewithal required for something like this. They’re aware, and now you are too so let’s get into discussing what exactly all this is about and whether or not this would be not just easy money, but a LOT of easy money.

Beta Stage Bonuses

Microsoft recently released the beta version of its Chromium-based Edge and then introduced the Insider Bounty Program along with it. As mentioned, there’s apparently up to $30,000 to be had for those who find out unique vulnerabilities in this beta version of their new browser.

Yes, that’s what you can do when you have deep pockets to this extent. You’d have to find a thousand+ lost phones and pets to come even close!

To clarify though, 30K is only available if you find a flaw that is a vulnerability that leads to escape from the WDAG container. The majority of would-be rewards included in the Microsoft Edge Insider Bounty Program are in the range of $1,000 to $3,000, depending upon the bug’s severity and – take note – the quality of the submission (see thoroughness – less work for them = more $ for you).

Quality Control & Then Some

Microsoft has stated that the goal of the Microsoft Edge (Chromium-based) Insider Bounty Program is to dig up vulnerabilities that are unique to the next Microsoft Edge and have the potential for a direct and demonstrable impact on the security of their customers. Quite admirable, and not out of the ordinary for software developers in as far as the aim itself is concerned.

Attaching big money $ to that, however, is out of the ordinary.

It is true that Microsoft has a lot riding on the success and widespread adoption of it’s new Edge browser, particularly given the success of Google Chrome that the current Edge is very much playing second fiddle to.

It is reported to have features unique to Chromium Edge like Internet Explorer mode, PlayReady DRM, Sign in with Microsoft Account (MSA) or Azure Active Directory (AAD), Application Guard and a few others.

Growth of the Bug-Finder Business

Turns out discovering unique bugs on the latest version of Edge can be a big business. As mentioned, Microsoft will issue rewards in various tiers, and these are the ones:

  • Spoofing and tampering related security impact – between $1,000 to $6,000, depending on the quality of the report
  • Information Disclosure and Remote Code Execution (RCE) can get you between $1,000 to $10,000 depending upon the severity of the report
  • Vulnerability resulting from Elevation of Privilege (EoP) will get you between $5,000 to $15,000
  • And again, the biggie – 30K for vulnerability resulting in escape from the WDAG container to the host

As you’d expect, there are Terms and Conditions for participating in the Microsoft Bug Bounty Program. The report submission must also include tangible proof, and have sufficiently demonstrated the vulnerability exploitation and the potential impact it might have on users.

Know your stuff? Scour over the Beta of Microsoft’s newest edge and see if you can earn the largest reward you’re likely to ever receive in your life!

0

Overcoming Issues with Most Recent Windows 10 Update

4GHadmin | 19 August 2019
Reading Time: 3 minutes

A while back we had discussed some of the particulars with of the latest revisions available to people running desktop and notebook running Windows 10. Needless to say that encompasses a great many of them purring away at any given time all around the world, and it’s for that reason that some frequent undesirable occurrences seen with the most recent Windows 10 update are sufficiently noteworthy to the point that it makes sense for us to write about them in this week’s blog.

Here at 4GoodHosting, a part of what makes us a leading Canadian web hosting provider is the way in which we’re proactive in sharing information that’s easily identified as having value to our customer base. Given how ubiquitous the Windows OS is for personal computer users and the reality that’s unlikely to change, we’re going to discuss more than a few problematic issues that users are encountering quite frequently with the most recent Windows 10 update.

Reason enough to have less faith in the OS? That’s for you to decide.

The Issues

Where there’s smoke there is fire. While there had been rumblings about shortcomings with the latest Windows 10 update for a while, the way it is in the biz is that you don’t really take heed of these sorts of things until these sort of expressions of dissatisfaction become a little more numerous than just a few people here and there.

That’s the case now, and the consensus is that the latest update for Windows 10 is causing a string of issues for users. The update comes with patches against two critical vulnerabilities, but it seems they’re leading to problems. Among them are random reboots and inexplainable installation failures.

The update was made available on Tuesday of last week, and was created as a defense against a pair of remote code execution vulnerabilities which were deemed ‘wormable,’ – which means they are able to jump from one infected computer to another. Microsoft owned up to these vulnerabilities and informed users about the patches in a blog post, with users being encouraged to update their operating systems without delay.

Primary Problem 1, with Fix

Some users, however, have encountered difficulties when trying to apply the latest update,. To their credit, Microsoft has acknowledged that there ‘known issues’ with the update do exist.

Most notable among them:

A small number of devices may deliver a black screen on start up during the first logon after installing updates, and that this would be disconcerting for users.

The good news is there is a very simple fix for this;

  • Using Ctrl + Alt + Delete on the black screen and then using the Power button in the bottom right of the screen to select Restart. This should prompt the PC to boot normally.

Primary Problem 2, and NO Fix (Yet?)

The other significant problem with the update is the way it seems to be able to break some Visual Basic applications. More than a few users have reported that after installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) are seemingly no longer responding to basic requests and coming with them is a ‘invalid procedure call error.’ As the header there suggests, at this point at least there is no fix for this problem.

Similar feedback shared via a number of online discussion spots have also talked about repeated instances where the update causes random reboots to their systems. Others still are having problems downloading and installing the update itself. Microsoft reports that it is working on a solution for these issues, and those solutions should be rolled out in a future update.

What You Can Do

If you’ve gone with this recent Windows 10 update and are encountering one or all of these issues then the advice from the source is to update your operating system, and do so even if you’re worried about update issues with the security vulnerability being patched in the way it has been. It’s good advice, but be forewarned that you might see some issues with the update process.

If avoiding the update issues altogether is preferable for you – and you haven’t taken the update yet -, plus you’re okay with some risk, then there’s also this option; pause Windows updates until Microsoft announces a fix to this one.

0

40+ Different Device Drivers Found to Have Malware Security Flaw

4GHadmin | 12 August 2019
Reading Time: 3 minutes

The scope and extensiveness of malware risks for computing devices is more pronounced than ever before, and that’s pretty much the story from one month to the next these days. At a recent security conference in Las Vegas, the Eclypsium security research team announced they had dug up some serious security flaws in at least 40 device drivers from 20 different vendors. These vulnerabilities could increase the likelihood of devices being infected by malware.

While this type of development in itself is nothing out of the ordinary, what makes it noteworthy is the sheer number of different drivers that may be affected. Here at 4GoodHosting, we’re like any other reputable Canadian web hosting provider in that we strive to make our customers aware of risks to their digital security when they arise. When one is as potentially far reaching as this one, we’re almost always going to make some sort of announcement regarding it.

The Latest

The research team’s report is stating that this malware targets system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component. By doing so what the attackers have done is take the same tools used to manage a system and then turn them into powerful threats that can escalate quickly on the host.

Once the driver is infected it then provides the attacker with optimized access for means of launching malicious actions within all versions of Windows, and Windows Kernel most notably.

Do note that all these affected drivers are ones certified by Microsoft:

  • American Megatrends International (AMI)
  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • GIGABYTE
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • NVIDIA
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

The Why

All of this is related to a specific design flaw in Windows device drivers. They have a functionality that can be taken advantage of to perform a read/write of sensitive resources without being restricted by Microsoft. Some are suggesting that bad coding practices are to blame for this, and while that can’t be substantiated it is true that there is a more pressing need for better ones these days and older work can be suspect.

At present, the understanding is that Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to create a blacklist of drivers that are reported to them. The only problem there is that the HVCI feature is only available with 7th gen Intel CPUs along with newer processors only. The situation for older operating systems would be the need for manual installation, and this would also be true for newer ones where HVCI can’t be enabled.

Microsoft is now recommending that its users work with Windows Defender Application Control or turn on memory integrity for supported devices in Windows Security. This should block malware in software and drivers.

The Motivation for Developing Malware

Many people ask what exactly is in it for these malware developers to spend as much time as they do creating this infections and releasing them onto the world. Not sure there’s a clear answer to that, but it’s a good question. After all, people will assume that there’s nothing really to be gained by creating malware other than perhaps an individual sense of deranged satisfaction in messing with people and businesses.

This would be an incorrect assumption, however. The truth is that these people go to the effort to make malware because there’s money in it. For example, a botnet; a network of thousands – or even hundreds of thousands – of computers belonging to everyday people that have been infected with software that usually work to send out LOTS of spam.

Once a botnet network is established then it can be rented by individuals and organizations who want to send out spam promoting whatever it is they want promoted. Botnet owners make money, and same goes for keyloggers – they capture usernames and passwords and sell this information to whoever would like it and for whatever purpose.

These are just 2 examples of many. Long story short, the reason there’s people working to make malware is because – strangely enough – it’s profitable in one way or another.

0

Facebook Set to Introduce its Own Cryptocurrency

4GHadmin | 06 August 2019
Reading Time: 4 minutes

With the fact that they barely blinked then slapped with a $5M dollar fine recently with the Cambridge Analytica scandal, it’s a reminder that Facebook is as deep-pocketed as one can be. Not surprising that the world’s social media mega giant is so wealthy, and as such we can also assume that they have the bucks needed to get into whatever venture they choose to. The fact that they’re doing so in cryptocurrency is one, however, where they sheer magnitude of what this could mean within the world of online e-commerce.

Here at 4GoodHosting, being a quality Canadian web hosting provider put us in a more natural position than most to be attuned to these kinds of developments and what they can mean for the ‘general public’ of the 21st century digital world. We’ve talked about Blockchain here in our blog before, and it’s on this game-changing piece of fintech (financial technology) that this – and all types of cryptocurrency – are based on.

This kind of industry disruption is one of the more defining aspects of the digital world these days, and the ‘disruption’ that could come from this is really one to talk about. No doubt the banking world won’t be particularly enthusiastic about it.

So what’s this all about?

New Way to Pay

Facebook’s digital currency-to be will be called Libra, and the ‘crypto wallet’ you’ll use to carry it is called Calibra. What you’ll do is download the Calibra digital wallet application, purchase the Libra digital currency through a financial network, and then exchange payments with peer-to-peer digital money transfers through Calibra standing alone as an app. It’s reported that users will also be able to do the same thing through Facebook’s subsidiaries WhatsApp and Messenger.

The Libra platform is expected to launch sometime next year, in 2020, and it’s being promoted as a cryptocurrency app that will let Facebook users send, add or withdraw money as weill as allowing someone to fill their wallet, cash out or split a restaurant tab all using Messenger. Further, you may eventually be able to pay bills, buy a cup of coffee with the scan of a code, or taking transit without needing to have cash or a metro pass in your pocket.

For exchange rates between fiat currency and Libra, Calibra will show them as well as what it will charge to convert it back again. The key is that blockchain is serving to cut out the middleman, in this case a central bank or clearing house. With that goes the majority of costs associated with these types of financial transactions.

Facebook is promising that their transaction fees will be low-cost and transparent, and particularly so if you’re sending money internationally. By cutting fees made possible by utilizing blockchain, Calibra promises to leave more money at your digital disposal.

Powerful and Safe

The blockchain transactional network on which Calibra will exist will be able to handle thousands of transactions every second, and data on those financial transactions will be kept separate from data about the social network. This assurance will of course be very important to users. Calibra will not share account information or financial data with Facebook or any third party without customer consent, meaning account information will not be used for customers’ account information. Nor will financial data be used to improve ad targeting on the Facebook family of products.

Libra is reported to be different from other cryptocurrencies like bitcoin, in that it is backed by fiat currency. This means its value is not simply determined by supply and demand like the others. It’s also going to be designed so that it will be interoperable with other cryptocurrency wallets because they’ll run on top of the same blockchain network.

Facebook will secure financial transactions made through its digital wallet app in a number of different ways; for starters, they will not be in charge of governing the blockchain network. Instead, that will be handled by the Libra Association, which is made up of dozens of other companies – Visa, MasterCard, PayPal, and Uber among them. Additionally, all accounts and transactions are verified and fraud prevention is built in to the app. Accounts are verified with government-issued IDs, such as a driver’s license, so users can be certain other users are who they say they are.

Calibra will also have an in-app reporting function and dedicated customer service.

Facebook’s Libra Project appears to be a hybrid blockchain one that is a mix of permission and public ones. What this means is that it connect to banks to verify and onboard users (permission) and then uses a public blockchain to enable the users to transfer or spend funds.

Where’s the Profit?

Long story short, there’s huge potential for Facebook here to generate via ad revenue, with the understanding that there will be more conversion of consumers who view ads. It should also be a more attractive e-commerce marketplace that gains sellers and buyers in growing economies where access to e-money services for transactions may be limited.

A stat that speaks to that – almost half of all adults globally don’t have an active bank account. These numbers are worse in developing countries, and even worse for women.

All of this is very much in its early stages, but make no mistake about it – Social media’s colossus is going to be one of the ‘early birds’ getting the worm when it comes to cryptocurrency.

0