Customer Service and Support

Microsoft Security Slate

August 4, 2016
Top of News | Vulns | Enterprise | Consumer | Attackers | Security Pro | Privacy | Gov/LE | GBU | Resources

Top of the News

Telegram Makes Statement in Aftermath of Massive Hack Attack
IT Tech Post

Reuters reported on August 2, 2016, that Iranian hackers compromised more than a dozen
accounts on the Telegram instant messaging service and identified the phone numbers of 15
million Iranian users. Telegram has issued a statement that the Iranian accounts "were not
accessed" and the released information was already in the public domain.

Microsoft Signs Up for Privacy Shield

Microsoft on the Issues

Microsoft on August 1, 2016, signed up for the EU-U.S. Privacy Shield and submitted its
certification to the U.S. Department of Commerce one of the first companies to do so.

Banner Health Alerts 3.7M Potential Victims of Hack of Its Computers

Network World

Banner Health said that it discovered a cyberattack that took place from June 23, 2016 to July
7, 2016. The provider of hospital services has notified 3.7 million people including patients,
health plan members, healthcare providers, and customers at its food and beverage outlets
that their payment card and health plan data may have been compromised.

Russia Cyber Attack: Large Hack 'Hits Government'

BBC

Russia's Federal Security Service (FSB) reports the discovery of a "cyber-spying virus" in the
networks of about 20 state organizations and scientific and defense companies.

South Korea Says North Korea Hacked Email Accounts of 56 State Officials
Softpedia

South Korean investigators say that they detected more than 90 attempts to hack the email
accounts of various state officials, and claim that the hackers used the same techniques they
employed in similar attacks they carried out against South Korean officials back in 2014.

Vulnerabilities and Updates

Four High-Profile Vulnerabilities in HTTP/2 Revealed
Help Net Security
Imperva released a report (PDF) at Black Hat USA 2016 that documents four high-profile
vulnerabilities found in HTTP/2, the new version of the HTTP protocol.

Mozilla Releases Security Updates

US-CERT
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR that
could allow a remote attacker to take control of an affected system.

Cisco Releases Security Updates

US-CERT
Cisco on August 3, 2016, released security updates to address vulnerabilities in several
products, some of which could allow an unauthenticated remote attacker to take control of an
affected system. An additional advisory, "Cisco IOS Software Crafted Network Time Protocol
Packets Denial of Service Vulnerability," released on August 4, 2016, addresses a vulnerability
that could allow an unauthenticated, remote attacker to cause an interface wedge and an
eventual denial-of-service (DoS) condition on the affected device.

Google Adds New Kernel-Level Protections for Android

DarkReading
Google on July 27, 2016, rolled out memory level protections and other security measures to
protect the Android Linux kernel against malicious attacks.

WPAD Flaws Leak HTTPS URLs

Threatpost
Researchers from SafeBreach have found flaws in the Web Proxy AutoDiscovery (WPAD)
protocol tied to DHCP and DNS servers that could allow hackers to spy on HTTPS-protected
URLs and launch different attacks against Linux, Windows, or Mac computers.

ISF Updates Security Standard, While Encouraging Accountability

eWEEK
The Information Security Forum (ISF), a not-for-profit association that offers research-based
security guidance to a global membership of enterprises, on July 27, 2016, issued a major
update to its guide for meeting objectives from the U.S. National Institute of Standards and
Technology (NIST).

Enterprise/SMB
Microsoft Brings Together IT Management and Security for the Hybrid Cloud
Microsoft Server & Cloud Blog
New and improved security features are now generally available for Microsoft Operations
Management Suite (OMS), a set of cloud-based services that offers analytics, automation,
configuration, security, backup, and site recovery.

Almost Half of US Businesses Hit by Ransomware, Says Study

PCWorld
Malwarebytes researchers report that 41 percent of US businesses and 42 percent of UK
businesses have encountered between one and five ransomware attacks in the previous 12
months.

4 Laptop Security Trends You Should Know About

Network World

Businesses would be wise to employ the following techniques to secure employees' laptops:
1. Laptop kill switch
2. Microsoft Hello authentication
3. Bulletproof Gmail access
4. Dell Advanced Threat Prevention

How to Roll Your Own Threat Intelligence Team

DarkReading
Organizations can build their own threat intelligence teams to drive enterprise security by
following five suggestions:
1.
2.
3.
4.
5.

Establish an intelligence priorities framework.

Incorporate and consolidate intelligence sources.
Map your intelligence collection.
Find the best talent.
Tailor the finished products to the audience.

New IBM Security App Uses Analytics to Target Internal Threats

Enterprise Security Today

IBM QRadar User Behavior Analytics, a new app from IBM, will help businesses determine if
the credentials or systems of their own employees have been compromised.

Consumer/Mobile
Frequent Password Changes Are the Enemy of Security, FTC Technologist Says

Ars technica
When people are forced to change passwords on a regular basis (such as every 60 or 90 days),
research shows that they often use a transformation technique and just make small
adjustments to an existing password. Researchers used transformations and developed
algorithms that were able to predict password changes with great accuracy.

Android Users to Be Warned of Suspect Google Account Activity in Real-Time

Help Net Security
Google will roll out a new security feature for Android that will allow users to quickly discover
that their Google account has been compromised.
Related reading: Android Users to Receive Notifications When New Devices Added to Account.

Google's HSTS Rollout: Forced HTTPS for Google.com Aims to Help Block Attacks
ZDNet
Google is forcing visitors to the google.com domain to do so only through secure HTTP Strict
Transport Security (HSTS) on the google.com domain to prevent users from navigating to its
site using the insecure HTTP. About 80 percent of requests to Google servers are through
encrypted connections, but the company is hoping that the HSTS (or HTTPS) rollout will
contribute to its goal of total encryption across its products and services.

Black Hat Security Conference Trims Insecure Features from Its Mobile App
Network World
Black Hat has disabled features of its mobile application that could allow attackers to log in as
legitimate attendees, post messages in their names, and spy on messages.

WhatsApp and Myth Behind Its Encrypted Chats

HackRead
WhatsApp reportedly keeps a forensic trace of users' chat logs even after deletion by the user.
This is even after WhatsApp introduced end-to-end encryption.

Attackers and Hackers

New Gozi Trojan Version Can Bypass Some Behavioral Biometrics Defenses
Softpedia
The existing Gozi banking trojan uses web injection attacks for each targeted financial
institution. Each Gozi module can collect logon credentials and hijack the payment transfer
webpage. The new version works in real time, using nefarious human operators who decide
which account to attack.

How Hackers Used This Trojan Malware to Spy on a Territorial Dispute

ZDNet
F-Secure Labs has discovered NanHaiShu, a remote access trojan (RAT), which is being used to
steal data from some of the governments and private sector organizations involved in the
dispute over territory and sovereignty in the South China Sea.

Data Program Accessed in Cyber-Attack on Democrats, Says Clinton Campaign

The Guardian

The Clinton campaign says that its data program was part of a hack of the Committee (DNC)
that intelligence officials believe was carried out by Russias intelligence services.
Related reading: Anonymous Hacks Sarah Silverman Twitter for Bernie or Bust Comment.

How Hackers Can Make 'Virtually Any Person' Click on a Dangerous Link
ZDNet
Researchers at the University of Erlangen-Nuremberg in Germany, who study human factors in
security and privacy, say that hackers can trick almost anyone into clicking on a link, despite
their security awareness.

Active iOS Smishing Campaign Stealing Apple Credentials

McAfee Labs Blog
There is an active phishing scam targeting iOS users that is delivered via SMS messages. The
message tricks users into accessing a fake site in an effort to steal their Apple credentials.
Related reading: Apple Warns Customers About 20 iTunes Phishing Scam Emails.

Banking Trojan Being Distributed via 'Legitimate' PayPal Accounts - UPDATED

V3.co.uk
Proofpoint says that hackers are using PayPal to distribute the Chtonic banking trojan, a
variant of Zeus.

Security Professional
Enhancing IoT Security: Azure IoT Support for X.509 Certificates Now Available
Microsoft Internet of Things
Microsoft on August 2, 2016, announced Azure IoT support for X.509 certificate device
authentication, considered the gold standard for exchanging data between two parties, such
as a device and cloud platform, with cryptographic safeguards that allow businesses to be
alerted to any potential exposure of information in transit.

Microsoft Obtains New Cloud-Centric ISO 27017 Certification

Microsoft Azure
Microsoft Azure obtained the ISO/IEC 27017:2015 certification, an international standard that
aligns with and complements the ISO/IEC 27002:2013 with an emphasis on cloud-specific
threats and risks. Customers can download the certificate.

Panasonic Avionics Launches Bug Bounty Program

Security Week
One of the worlds biggest suppliers of inflight entertainment and communications systems
has launched a bug bounty program on the HackerOne platform. The program will be
available to only a select group of hackers by invitation.

Power BI July Update for Service and Mobile

Microsoft Power BI Blog
The Power BI team recaps its new features, including data classification, which allows users to
select a risk classification for the business data presented in a specific dashboard.

Enhancing Information Rights Management in Word, Excel and PowerPoint Mobile

Apps
Microsoft Office Blogs
Microsoft is extending Azure Rights Management to the Word, Excel, and PowerPoint mobile
apps for Android. This means that information rights management (IRM) is now supported
everywhere in Office Mobile.

Privacy
Article 29 Working Party and the EDPS Advise That EU Should Preserve and Not
Reduce ePrivacy Rules
Bird & Bird
The article summarizes the recent opinions from the Article 29 Working Party (A29WP) (PDF)
and the European Data Protection Supervisor (EDPS) (PDF) on the review of amended
Directive 2002/58/EC concerning the processing of personal data and the protection of
privacy in the electronic communications sector (the ePrivacy Directive).

Facebook Live, Periscope May Lead to Change in Privacy Policies

Financial Express
Live video streams, or mobile streaming video technology (MSVT), will require new privacy
laws and policies.

Microsoft Continues to Meet Its Commitments to GNI Principles on Internet Freedom

of Expression and Privacy
Microsoft on the Issues Blog

Microsoft is a founding member of the Global Network Initiative (GNI), a multi-stakeholder

initiative that is dedicated to advancing freedom of expression and privacy on the global
internet. GNI recently published the results of its second independent assessment of GNI
member companies, and again determined that Microsoft complies with the GNI Principles.

Top Retailers Consumer Data Collection Plans Raise Privacy Violation Concerns
YLE UUTISET
The S Group, which is the top-grossing firm in Sweden's retail and services sector, is planning
to start collecting detailed information regarding its customers' purchases beginning
September 2016. Finland's consumer advocates are questioning the move.

Commercial Drones: Four Looming Legal Concerns

Tech Pro Research

CEOs who are considering the use of commercial drones should consider key legal issues,
including trespass, privacy, safety, and nuisance.

Government/Law Enforcement
Systematizing Privacy and Governance of Data and the Internet of Things
Data-Smart City Solutions

The article looks at Seattles Technology Privacy Policy and New York Citys Internet of Things
Privacy Policy, their advantages and disadvantages, and what's next for privacy policies.

DHS Preps Advice to Help Election Officials Protect Electronic Voting Machines from
Cyberattack
Government Technology
Following the high-profile breach of Democratic National Committee emails, the US
Department of Homeland Security (DHS) is preparing advice for election officials to better
protect electronic voting machines, online ballots, and vote counts from hackers.

Comcast Wants Its Broadband Users to Pay for Their Privacy

ZDNet
The company said in an August 1, 2016, filing with the US Federal Communications
Commission (FCC) that it wants to give "discounts or other value to consumers in exchange
for allowing ISPs to use their data." This move is similar to that of AT&T, which charges users
significantly more to opt out of the company's own advertising system. Essentially, consumers
would have to pay for their privacy.

DHS Announces Cyber Incident Reporting Information

US-CERT
Following the recent release of Presidential Policy Directive 41, the US Department of
Homeland Security (DHS) has released guidelines and points of contact for reporting cyber
incidents to the US federal government.

Law Enforcement and the Deep Web: Willing, but Underfunded

Trend Micro
Many police departments simply dont have the in-house expertise or resources to police the
Deep Web.

INTERPOL Arrests Business Email Compromise Scam Mastermind

Trend Micro
INTERPOL and Nigerias Economic and Financial Crime Commission (EFCC), along with
collaboration with Trend Micro, arrested the mastermind behind multiple business email
compromise (BEC), 419, and romance scams.

The Good, The Bad, and The Ugly

This Tiny Device Can Infect Point-of-Sale Systems and Unlock Hotel Rooms
PCWorld
Rapid7 senior security engineer Weston Hecker demonstrated at Black Hat USA 2016 a device
that, when placed near a card reader, will send malicious keyboard commands that will be
executed on the point-of-sale system. This means that the attackers can trick card readers
from less than five inches away. And because the device is about the size of a deck of cards, it
can easily be hidden in the attacker's phone case or up a sleeve.

This ATM Hack Could Allow Thieves to Make Off with Thousands
ZDNet
A security vulnerability in new ATMs can be exploited to make them release large sums of
cash. Weston Hecker (yes, same as above) displayed to the Black Hat audience how the
bypass could allow criminals to make off with up to US$50,000 from a machine in under 15
minutes.

This Time, Miller & Valasek Hack the Jeep at Speed

DarkReading
Another Black Hat presentation will show how they can remotely take over a Jeep Cherokee
travelling at 60 miles per hour, far above the 5 miles-per-hour limit of the initial research. The

researchers also controlled the acceleration pedal and the brakes, and were able to
permanently lock the electronic parking brake.

The 10 Security Commandments for Every SysAdmin

We Live Security
To celebrate the 17th annual SysAdmin Day on July 29, 2016, the authors put together 10
funny-but-true security commandments for sysadmins.

Facebook Ordered to Refund Parents for Accidental in-App Purchases

Sophos
Attention parents who live in the U.S. with Internet-savvy and app-purchase-happy children:
You may be entitled to refunds to game purchases that you may have not known about.
Security Resources

Follow Microsoft

Microsoft Cyber Trust Blog

Microsoft Security

Digital Crimes Unit

Microsoft Partner

Microsoft Security TechCenter

Microsoft MMPC

Microsoft Privacy

Microsoft_Gov

My Security Bulletins Dashboard

Security Response

MS in DOD

MVPAwardProgram

Contact Us

Microsoft News

Please contact your Technical Account Manager for

subscription assistance.

Microsoft Safer
Online

Microsoft Partner
UK

Security@Microsoft
(LinkedIn)

The Microsoft Security Slate is a customer-ready, weekly newsletter geared to Microsoft Premier customers and
partners. The Slate provides a scannable, relevant, and consumable snapshot of the weeks security news and
headlines.
Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement by Microsoft of the site. The links are not under the control of Microsoft and Microsoft is not responsible
for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites.
Microsoft is not responsible for webcasting of any other form of transmission received from any linked site.
Microsoft customers: Do not forward or redistribute.

2016 Microsoft