Proprietary Software and Security

posted by Roy Schestowitz on Aug 13, 2022

• Microsoft Sues Activation Key & Token Sellers For Enabling Customers' Piracy

  Software sold by market leaders tend to be primary purchases for regular consumers. Brand comfort is important but so too is affordability, especially when pirate copies are available for free. Some find a middle ground with purchases of discounted activation keys but, as a new Microsoft lawsuit shows, that can amount to copyright infringement for buyers and sellers alike.

• No, you cannot trust third party code without reading it first

  For more than a decade I have been thundering against a lot of the bad practices that have permeated the software development industry, one such practice is to blindly trust code when using third party libraries, frameworks or packages. For about the same amount of time I have listened to all the reasons why time is money and we need to build something quickly, and we haven't got the time to do security or X, Y and Z. But alas, now such companies are beginning to pay the price, a very costly and extremely damaging price!

• Database Integrity Vulnerabilities in Boeing’s Onboard Performance Tool | Pen Test Partners

  Security gaps in older, unprotected Windows desktop versions of Boeing’s Onboard Performance Tool (OPT) could make certain Electronic Flight Bags (EFB) more susceptible to attack. In particular, OPT’s use of plain text configuration files and SQLite databases, means an attacker with physical access to an EFB could modify files directly on the device.

  While the likelihood of exploiting such gaps is low given existing regulations governing the use and employment of EFBs and Crew Resource Management procedures, if data modification occurs, and the resulting miscalculations are not detected during the crew’s required cross check or verification process, an aircraft could land on a runway too short or take off at incorrect speeds potentially resulting in a tail strike or runway excursion.

  Boeing released OPT version 4.70 and issued a service bulletin to operators to enhance the application’s security features and minimize the potential for manipulating OPT data. It is important that operators employing EFB solutions, including those that contain OPT, harden their devices and implement physical access controls in accordance with relevant aviation regulations.

• Sounding the Alarm on Emergency Alert System Flaws

  The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.

• Leaked NSO Group Presentation Details Malware’s Ability To Turn On Cameras, Mics To Surveil Targets

  Israel’s foremost purveyor of malware, NSO Group, has undergone nearly a yearlong reckoning. A leak last summer appeared to show NSO customers were routinely targeting journalists, activists, members of opposition parties, and, in one case, the ex-wife of a Dubai ruler.

• Local Simulation Feature To Be Removed From All Autodesk Fusion 360 Versions

  The removal of features from Autodesk products would appear to be turning into something of a routine at this point, with the announced removal of local simulations the latest in this series. Previously Autodesk had severely cut down the features available with a Personal Use license, but these latest changes (effective September 6) affect even paying customers, no matter which tier.

• Ransomware attacks are hitting small businesses. These are experts' top defense tips [iophk: Windows TCO]

  However, sometimes companies struggle with understanding or feeling fully protected by those policies. According to a recent study from Blackberry and Corvus Insurance, a high percentage of companies said they would hesitate to get into business with organizations that aren't covered by cyber insurance, recognizing its importance. However, just 14 percent of small and medium-size businesses have policies that cover over $600,000, restrictions that led more than half of respondents to say they hoped for more financial assistance from the government, particularly when attacked by a nation state. Many companies said there's a lack of transparency from some firms about what is actually covered by their policies, which are constantly getting more expensive.

• Researcher Finds Russian Cybersecurity Far Shittier Than The Mythology Suggests

  For much of the last decade, Vladimir Putin has attempted to compensate for various shortcomings (like a less sophisticated real world military) by launching cyber and propaganda attacks on much of the world. And while this, for a while, resulted in a mythology that Russia was in a league of its own when it comes to hacking and cybersecurity, the reality isn’t nearly that exciting.