Information Technology

Microsoft has released an out-of-band patch to fix authentication failures on Windows after installing the May 10, 2022 security update on Windows Server domain controllers. The new update should fix authentication failures that affected services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). 

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft explained. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsThe US Cybersecurity and Infrastructure Security Agency (CISA) this week pulled Microsoft’s fix for the bug CVE-2022-26925 from its list of known exploited vulnerabilities that federal agencies must patch within a given timeframe.  The bug was a Local Security Authority (LSA) spoofing vulnerability. Details of the bug have been publicly disclosed and exploits exist for it. An unauthenticated attacker could “call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft said. The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft added.  The authentication issue was only caused after installing the May 10 update on Windows Server domain controllers. Any previously applied workarounds are no longer needed, according to Microsoft.  Microsoft’s out-of-band patch also fixes a separate issue caused by the April KB5011831 or later updates that stopped some Microsoft Store apps from opening. The cumulative updates with the out-of-band fix are available for Windows Server 2022 (KB5015013), Windows Server, version 20H2 (KB5015020), Windows Server 2019 (KB5015018), and Windows Server 2016 (KB5015019). Microsoft has also released standalone updates for Windows Server 2012 R2 (KB5014986), Windows Server 2012 (KB5014991), Windows Server 2008 R2 SP1 (KB5014987), Windows Server 2008 SP2 (KB5014990). Admins can manually import the updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.  More

If you forget your password, you are indistinguishable from a hostile intruder and you will be treated as such, which means you will be locked out from your encrypted data.
Getty Images
Welcome to this week’s installment of Ask ZDNet, where we answer the questions that make Dear Abby’s eyes glaze over. In the mailbag this week: A reader is concerned about the negative side effects of full disk encryption. Also: How your EV charger can pay for itself in a year or less, plus email archiving secrets.  If you’ve got a question about any of the topics ZDNet covers, one of our team of editors and contributors probably has an answer. If they don’t, we’ll find an outside expert who can steer you in the right direction. Questions can cover just about any topic that’s remotely related to work and technology, including PCs and Macs, mobile devices, security and privacy, social media, home office gear, consumer electronics, business etiquette, financial advice … well, you get the idea. Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Ask away. 

What’s the downside of disk encryption?

Does encrypting a disk make it less likely that data can be recovered with utilities after a crash? (Of course, that data should be backed up, but….) Does encrypting the disk make it more likely to have errors and failures? Does encrypting the disk make it harder to transfer to a bigger boot disk? I’m sure any tradeoffs are well worth it for important, sensitive data. But are there risks for the average home user?

Make no mistake about it, disk encryption is a powerful security precaution. Using strong disk encryption means that your data is under your control and only your control. An unauthorized intruder who’s able to gain access to that encrypted data is able to see precisely nothing. And even with the assets of the world’s most powerful intelligence agencies, it takes months or years or even centuries to crack the code.

And now the bad news: If you forget your password, you are indistinguishable from a hostile intruder and you will be treated as such, which means you will be locked out from your encrypted data.That’s not a bug, it’s a feature. A backdoor that would allow you to recover your data without the decryption key would also be available to an attacker, rendering the data protection useless.But that’s the only difference between an encrypted disk and one where the data is stored in the clear. If your drive or controller fails, resulting in data corruption, it doesn’t matter whether the data is encrypted or not; you’ll need a backup to recover the damaged files. And on modern hardware, encryption and decryption using the AES standard takes place in the CPU, which means that any impact on data transfer speeds is negligible.Which means your biggest challenge is to ensure that you have access to the backup encryption key for your device, for use only in the event of an emergency. On a Mac using Apple’s FileVault encryption, you can store the recovery key in iCloud or locally (follow the instructions in this support article). For devices running Windows 10 or Windows 11, follow the instructions in ZDNet’s BitLocker FAQ.Make sure you store that recovery key in a safe place. If you can supply that key on demand, you have full access to the data on the encrypted disk.

Do I really need an expensive charger for my new electric vehicle?

I’m about to purchase a new electric vehicle. Do I really need to pay $500 or more (plus installation) for a fancy charger in my garage?

You only need two things to charge your EV: a 240V power outlet, and a cable to connect that power supply to your car’s charging port. (Yes, EV owners in the US can plug into a standard 110/120V outlet, but the charging rates are too slow to make that practical for everyday use, especially if you have a long commute.) Plug in the vehicle as soon as you get home; unplug it when you’re ready to leave. Easy, right?

That basic setup can cost you dearly, however, if your local utility bases its billing on a “time of use” plan, with different rates per kWh based on the time of day. In most regions, peak rates apply in the afternoon and early evening, when demand is highest, and offer much lower rates in the wee small hours of the morning. Some power companies even offer plans specifically tailored to EV owners. Georgia Power, for example, offers a Plug-In Electric Vehicle Plan that charges 1 cent per kWh in the Super Off-Peak hours between 11 p.m. and 7 a.m. but bills at 7 cents or 20 cents per kWh at other times. In Oregon, the Time of Day plan from Portland General Electric charges 6.5 cents per kWh in off-peak hours from 9 p.m. to 7 a.m. but charges 30.6 cents during peak hours, 5 p.m. to 9 p.m..And that’s where a charger comes in handy. Use the charging app to specify that you only want to deliver power to the vehicle when rates are low. Over the course of a year, the savings from charging during off-peak hours can pay for the cost of the charger several times over.

What’s the best way to archive my email?

I have two email accounts, one hosted with Microsoft’s Outlook.com and the other with Gmail. After archiving my email and deleting unimportant messages, I would like to download the rest of them into year-wise folders on my laptop or external hard drive. What’s the best way to do this?

Here at Ask ZDNet, we are normally can-do people, obsessed with finding a way to show you how to Do The Thing You Are Trying To Do. But just this time, we are joining Team Please Don’t Do That Thing You Are Trying To Do.

Downloading email to local copies is a form of digital hoarding. You don’t need to do that! If you move those files to the Archive folder on the service where they were originally received, you can review and search those archives any time. If your search turns up a message you need to recall, you can copy, print, reply, or forward it as needed. You don’t need copies of those messages saved to your local PC. (For the rare Truly Important Message that deserves its own copy, such as a confirmation for a hotel reservation or a digital receipt that you know you might need in the future, use the Print function to save a message as a PDF file.)Your Outlook.com account stores up to 15 GB of mail for free. A paid Microsoft 365 business account includes 50 GB of storage. Your free Gmail account also includes 15 GB of storage, but that allotment includes whatever you’ve stored in Google Photos and Google Drive in addition to your email. If your archive becomes truly gargantuan, the costs to upgrade your email storage are relatively small and well worth it.You can, of course, always synchronize a copy of your Archive folder to a local store in an app like Outlook. If you’re worried that Microsoft or Google will be inaccessible at the precise moment you need an old email message, you can use this option. That should accomplish everything you’re trying to do, without hoarding.Send your questions to ask@zdnet.com. Due to the volume of submissions, we can’t guarantee a personal reply, but we do promise to read every letter and respond right here to the ones that we think our readers will care about. Be sure to include a working email address in case we have follow-up questions. We promise not to use it for any other purpose.  

ZDNet Recommends

  More

Security researchers have found a new collection of phishing domains offering up fake Windows 11 installers that actually deliver information-stealing malware. 

Cybersecurity firm Zscaler said that newly registered domains appeared in April 2022 and have been designed to mimic the legitimate Microsoft Windows 11 OS download portal. ‘Warez’ sites containing pirate material, including software and games, are notorious as hotbeds of malicious malware packages, including Trojans, information stealers, adware, and nuisanceware.  SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsCracked forms of software are on offer for free and users who download the software are usually trying to avoid paying for software licenses or gaming content. A brief scan of active warez sites reveals listings for Windows, macOS, and Linux applications, including Adobe Photoshop, various creative applications, enterprise versions of Windows software, and a host of films and games.  However, if you risk the download, you might be opening your machine up to infection – and the same applies if you download software you trust from a suspicious web address.
Image: Zscaler
In the case documented by Zscaler, Vidar is spread by the threat actors through phishing and social media networks, including Mastodon, which are widely abused to facilitate attacks. Mastodon is decentralized, open-source software used to run self-hosted social networks. In two instances, the cyber criminals created new user accounts and stored command-and-control (C2) server addresses in their ‘profile’ sections.  In a new development, the Vidar group is also opening Telegram channels with the same C2 stored in the channel description. By doing so, malware implanted on vulnerable systems can fetch C2 configuration from these channels.  Vidar is a nasty form of malware able to spy on users and steal their data, including OS information, browser history, online account credentials, financial data, and various cryptocurrency wallet credentials. Vidar is also spread through the Fallout exploit kit.  SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesWhile the fake website pretends to be the official download portal, the malicious file on offer is an .ISO hiding the Vidar payload and packed with Themida. A static configuration is used to access the C2, but social media profiles can also be used as backup URLs.  In addition to the .ISO files being distributed as fake Windows 11 installers, Zscaler also uncovered a GitHub repository storing backdoored versions of Adobe Photoshop, another popular option for warez sites.  The best option to mitigate the risk of Vidar is to only download software from trusted, official domains – and to not give in to the lure of free, cracked software.  “The threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar stealer using themes related to the latest popular software applications,” the researchers say. “As always, users should be cautious when downloading software applications from the Internet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has seen a 254% increase in activity over the past few months from XorDDoS, a roughly eight-year-old network of infected Linux machines that is used for distributed denial of service (DDoS) attacks.  XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers. SSH is a secure network communications protocol commonly used for remote system administration.

ZDNet Recommends

Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker’s command and control infrastructure. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsWhile DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. “We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner,” Microsoft notes. XorDDoS was one of the most active Linux-based malware families of 2021, according to Crowdstrike. The malware has thrived off the growth of Internet of Things (IoT) devices, which mostly run on variants of Linux, but it has also targeted misconfigured Docker clusters in the cloud. Other top malware families targeting IoT devices include Mirai and Mozi. Microsoft didn’t see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities.XorDdos can hide its activities from common detection techniques. In a recent campaign, Microsoft saw it overwriting sensitive files with a null byte. “Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions,” Microsoft notes.    The XorDdos payload Microsoft analyzed is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft notes XorDdos uses a daemon process that runs in the background, outside the control of users, and terminates when the system is shutdown. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatBut the malware can automatically relaunch when a system is restarted thanks to several scripts and commands that cause it to automatically run when a system boots. XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks. It collects characteristics about an infected device, including the magic string, OS release version, malware version, rootkit presence, memory stats, CPU information, and LAN speed, which are encrypted and then sent to the C2 server.  More

Image: Ministry of Electronics and Information Technology
India has reaffirmed its commitment to new cybersecurity rules under a directive from the country’s computer emergency response team — known as Cert-In — that will force virtual private server providers, cloud service providers, and virtual private network service (VPN) providers to store customer information. Service providers will be required to maintain a database that includes user IP addresses, names, period of subscription, user email addresses, validated addresses, and contact information. India’s junior IT minister Rajeev Chandrasekhar released a frequently asked questions document on Wednesday addressing concerns aimed at the new rules — particularly around the requirement that tech companies provide information on data breaches to government within six hours of the incident occurring. “The nature of user harms and risks in 2022 are different from what it used to be a decade back … Rapid and mandatory reporting of incidents is a must and a primary requirement for remedial action for ensuring stability and resilience of cyber space,” said Chandrasekhar. According to Reuters, Chandrasekhar also said that tech companies should “pull out” of the country if they do not want to comply with the new government directive. Meanwhile, VPN provider ProtonVPN expressed concerns regarding the new rules, claiming that the regulations are “an assault on privacy and threaten to put citizens under a microscope of surveillance”, and that the company remains committed to its “no-logs policy”. The FAQ document states that those who do not comply with the rules, failing to provide the information as specified, will be punishable with imprisonment for a term of up to one year, fined up to ₹100,000, or both. The new rules are set to be enforced from the end of June after being first announced on April 28. Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: Twitter
Twitter has introduced its crisis information policy to ensure that any misleading tweets are not amplified or recommended during crises in a further attempt to stamp out misinformation. Under the policy, Twitter said as soon as it has evidence that a tweet is misleading it will be slapped with a warning notice which will also feature a link to more details about the crisis misinformation policy; likes, retweets and shares will be turned off; and the content would not be recommended across the service and be stopped from surfacing on the home page, search, or explore.   Twitter added it will also prioritise adding warning notices to highly visible tweets and tweets from high-profile accounts, such as state-affiliated media accounts, verified, or official government accounts. To determine whether a claim is misleading, Twitter said it will require verification from multiple credible, publicly available sources, including evidence from conflict monitoring groups, humanitarian organisations, open-source investigators, journalists, and more.  Some examples of tweets that might be flagged under the new policy, said Twitter, include false on-the-ground event reporting, false or misleading allegations of war crimes, mass atrocities, or use of weapons, and false information about international sanctions, community response, or humanitarian operations. Users who do want to continue to read tweets that have been slapped with a misinformation warning will have to click through the notice to view it. In the past, misinformation warnings did not cover up a tweet — it was labelled under the tweet. According to Twitter, the first iteration of the policy will focus on misinformation around the war in Ukraine, but planned updates will see the policy expanded to include additional forms of crises. “Down the line, as we expand our approach, we will enforce around other emergent global crises, informed by the United Nations Inter-Agency Standing Committee (IASC)’s emergency response framework, and other global humanitarian frameworks,” Twitter said in a blog post. The introduction of the policy comes timely as the social media giant awaits the finalisation of its $44 billion acquisition deal with Elon Musk, which was been put on hold for the last week after the billionaire said he needs more detail about the level of spam and fake accounts that exists on Twitter and suggested he may lower his original offer. Must read: Musk did not seek due diligence and the $44b deal will be completed: Twitter Since revealing his acquisition plans, Musk has also been forthcoming about his position on banning people from the social media platform. Earlier this month, he labelled the decision by Twitter to permanently suspend former US President Donald Trump’s account as “morally bad”, “foolish in the extreme”, and “flat-out stupid”. He also delivered a similar message when he announced his billion-dollar deal with Twitter where he described “free speech” as the “bedrock of a functioning democracy, and that “Twitter is the digital town square where matters vital to the future of humanity are debated”. Despite Musk’s stand for free speech, a recent filing revealed that he would be happy to get the Twitter deal done with the backing of noted bastions of repression, Qatar and Saudi Arabia.   Also on Friday, Business Insider reported that based on documents obtained by the publication, a SpaceX flight attendant alleged that Musk exposed himself and propositioned her for sex, and Musk’s aerospace firm paid the flight attendant $250,000 to settle the sexual misconduct claim against him in 2018.  Related Coverage More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Getty Images
Following the steps of its Five Eyes partners, Canada has moved to ban Huawei and ZTE from its telco networks. “The government of Canada is ensuring the long term safety of our telecommunications infrastructure. As part of that, the government intends to prohibit the inclusion of Huawei and ZTE products and services in Canada’s telecommunications systems,” Minister of Innovation, Science and Industry François-Philippe Champagne said. “As a result, telecommunications companies that operate in Canada would no longer be permitted to make use of designated equipment or services provided by Huawei and ZTE. As well, companies that already use this equipment installed in their networks would be required to cease its use and remove it.” Citing many of the same reasons that Australia used to ban Huawei in 2018, the Canadian government said the interconnectedness and interdependence of 5G networks makes exploitation much more significant. “The government of Canada has conducted an extensive examination of 5G wireless technology and the various technical, economic, and national security aspects of 5G implementation. The examination made clear that while this technology will bring significant benefits and economic opportunities, the technology will also introduce new security concerns that malicious actors could exploit,” it said. “In 5G systems, sensitive functions will become increasingly decentralised and virtualised in order to reduce latency, and the number of devices they will connect will also grow exponentially.” Canadian telcos will be banned from purchasing any new 5G or 4G equipment or managed service from Huawei and ZTE from the start of September, and have until 28 June 2024 to rip out any existing 5G equipment, and until the end of 2027 to remove any LTE equipment. See also: How Vodafone Australia changed its 5G plans after the Huawei ban The government also referenced US moves to restrict semiconductor supply to the companies. “Canada believes that evolving international supply chain dynamics have further implications due to growing restrictions on access to certain components,” it said. “Shifts from well-known inputs to others have implications for Canada’s ability to conduct assurance testing. This changing supply chain environment toward other components will make it increasingly difficult for Canada to maintain a high level of assurance testing for certain network equipment from a number of potential suppliers.” In 2020, the Canadian telcos that made use of Huawei 4G equipment, Bell and Telus, said they would not continue to make use of Huawei equipment for 5G. Bell said it was moving to Ericsson, while Telus said it would go with a combination of Ericsson and Nokia. In September 2021, the three-year saga involving the extradition lawsuit of Huawei CFO Meng Wanzhou ended. Meng was allowed to return to China after she reached an agreement with United States prosecutors to admit to misleading global financial institutions and did not plead guilty to the various fraud charges imposed against her. Without even trying to hide its hostage diplomacy tactics, Beijing subsequently released two Canadians who were detained shortly after Meng’s arrest and kept in Chinese prisons. By contrast, Meng was able to live under house arrest in one of her two Vancouver homes. The US Federal Communications Commission laid out in September the rules for small carriers that are applying to access a pot of $1.9 billion to rip out and replace Huawei and ZTE network equipment and services among smaller carriers. Related Coverage More

Written by

Jack Wallen, Contributing Writer

Jack Wallen
Contributing Writer

Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

Full Bio

DNS stands for Domain Name System and makes it such that can type google.com instead of 142.251.32.14. What DNS does is map the URL you type to the correct IP address associated with the address. In the example I just mentioned, 142.251.32.14 is one of the IP addresses mapped to google.com.Without DNS, you’d have to remember IP addresses, which is not user-friendly.

By default, DNS isn’t terribly secure. Every time you search in your web browser, that search is sent in plain text. That means anyone intercepting the search data you send from your Chromebook can be read. However, if you make use of secure DNS, that search data is encrypted, so it’s far more challenging to read. Because it’s so easy to enable secure DNS in ChromeOS, this should be considered a must-do for anyone who’s adamant about security and privacy.How do you enable secure DNS in your Chromebook? I’ll show you how. Fortunately, Google has actually built this into ChromeOS, such that all you have to do is enable it and then select a DNS service that supports secure DNS. I’m going to do this using Cloudflare’s 1.1.1.1 DNS service, which is free to use. I’ll be demonstrating on ChromeOS 103.0.5045.0. Let’s get to work.Enabling secure DNS on ChromeOSLog into your Chromebook and click the system tray at the bottom right of your display. From that popup (Figure 1), click the gear icon to open the Settings app.Accessing the Settings app from within the system tray on ChromeOS.3. In the resulting window (Figure 2), click Security and Privacy.The ChromeOS Settings app is where most of your configurations take place.4. In the Security and Privacy section (Figure 3), you’ll see the Use secure DNS option.Figure 3By default, secure DNS is not enabled. 5. Click the ON/OFF slider for Use secure DNS until it’s in the ON position. 5. Once secure DNS has been enabled, click the check box for With and then select Cloudflare 1.1.1.1 from the drop-down (Figure 4).Select Cloudflare for your secure DNS usage. You can then close the Settings app, open Chrome, and start browsing to your heart’s content, knowing your DNS queries will be sent over a secure connection. Congratulations on adding another layer of security to your Chromebook. More