SIM card maker Gemalto apparently now holds the world's record for fastest security audit?

Subject: General Tech | February 26, 2015 - 01:02 PM |
Tagged: Gemalto, SIM, encryption, fud, security

In just under a week SIM card maker Gemalto claims to have done a complete security audit of their systems in 85 different countries and reports that "its office networks were compromised, the servers holding the SIM card encryption keys weren't."  This is a  record worthy of Guinness as most security audits take months or years to complete and the findings tend to discuss probabilities, not absolute certainties.  As you might expect The Register and security experts everywhere are doubtful of the claims from a company that did not even know if was compromised less than a week ago that the UK based GCHQ and USA based NSA are unable to compromise your SIM cards encryption when they have the keys in hand.  It has not been a good week for anyone who thinks about security.

17225.jpg

"Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Roll over Superfish, PrivDog is just as bad and comes from Comodo

Subject: General Tech | February 25, 2015 - 12:36 PM |
Tagged: fud, Comodo, SSL, security, PrivDog, idiots

This has been a bad week for the secure socket layer and the news just keeps getting worse.  Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider.  It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default.  Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones.  That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site. 

The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution.  The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.

picarddoublefacepalm.jpg

"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.

Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Your aggregate battery consumption isn't Li-On about your location

Subject: General Tech | February 24, 2015 - 12:56 PM |
Tagged: fud, security, smartphone

Tracking your smartphones location via aggregate battery usage is not the most efficient or accurate method but it can be done and Samsung (and others) have not provided a switch which makes that particular data private.  Researchers have shown that by tracking the battery drain of the 3G cellular radio on the battery one can determine distance from the cellular base station the phone is connected to and a coarse location based on interference environmental factors such as buildings which partially block the signal.  It is only a very coarse locator but does give better information than just the base station the phone is connected to and as we are creatures of habit it allows tracking normal patterns of movement.  This is nowhere near as accurate as GPS tracking and does require a bit of work to pull off but as battery usage and levels are sent by the phone in the clear with no method of preventing that it should cause some privacy concerns for users.  You can read the research paper (in PDF) by following the link from The Inquirer.

index.jpg

"SCIENTISTS have warned of a new smartphone risk after discovering that battery power can be used to track a person's movements."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Of gaps of air and hats of tinfoil

Subject: General Tech | February 12, 2015 - 12:51 PM |
Tagged: security, fud

In networking, an air gap refers to a security measure that separates a network from the public infrastructure, either physically or through the use of extremely secure tunnelling.  This prevents access to that network over the internet or less secure LANs and is used in high security locations as it is generally considered one of the best ways of securing a network.  As with all things silicon, it is not perfect and this article at The Register should not be read by the faint of heart.  They describe several methods which have been developed to overcome air gaps, thankfully most require that the attacker had been able to gain physical access to the air gapped systems to infect them from within and as you have heard many times, once an attacker can gain physical access to your systems all bets are off.

What is interesting is the ways in which the infected systems transmit the stolen data without the need for physical contact and are incredibly difficult to detect.  Some are able to use the FM frequencies generated by GPUs to send data to cellphones up to 7m away while another uses the pixels to transmit hidden data in a way that is invisible to the user of the machine.  Other attacks involve spreading infection via microphones and speakers or a thumbdrive which was attached to an air gapped machine which could transmit data over a radio frequency up to 13 kilometres away.  It is a wild world out there and even though many of the attacks described have only been done in research labs; don't let strangers fondle your equipment without consent!

KiwiconV_c_1600x1200.png

"The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski's colleagues from an unnamed company plucked the malware and sent it off to FireEye's FLARE team for analysis."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Your Friday FUD; the hackable hospital

Subject: General Tech | April 25, 2014 - 12:52 PM |
Tagged: hospital, hack, fud

If you thought that antibiotic resistant infections were the only sort of bug you had to worry about when you are hospitalized then this story on Wired is not for you.  Scott Erven is head of information security for Essentia Health which operates a network of 100 facilities in the US and he has released some shocking news about the hackability of hospital equipment.  It would seem that almost every life saving device is hackable, in many cases quite easily hacked by remote.  Implantable defibrillators can be set off by an attacker or worse, prevented from shocking a heart when it should, drug infusion pumps can have the delivered dosage changed,  maximum radiation levels delivered by CT scans can be changed and a host of other rather terrifying vulnerabilities make going to the hospital even more anxiety inducing than it already was.  Your best bet is to try to stay healthy.

shocked_face.jpg

"When Scott Erven was given free rein to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problems–but he wasn’t prepared for just how bad it would be."

Here is some more Tech News from around the web:

Tech Talk

Source: Wired

Ruinous Text Format; watch those attachments!

Subject: General Tech | March 25, 2014 - 12:59 PM |
Tagged: rtf, microsoft, outlook, word, fud

Users of Microsoft Word 2003 to the current version on PC or the 2011 version for Mac, which means any version of Outlook or other Microsoft application in which Word is the default text editor may want to avoid RTF attachments for the next while.  There is an exploit in the wild which could allow a nefariously modified RTF file to give an attacker access to the machine which it was opened on at the same level as the user.  This does mean that those who follow the advice of most Windows admins and do not log in to an administrator level account for day to day work need not worry overly but those who ignore the advice may find themselves compromised.  As The Register points out, just previewing the attachment in Outlook is enough to trigger a possible infection.

computer-virus_thumb.jpg

"Microsoft has warned its Word software is vulnerable to a newly discovered dangerous bug – which is being exploited right now in "limited, targeted attacks" in the wild. There is no patch available at this time."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Blackbery has your full IMAP/POP3 creds, next up the Pontiff's headgear and the defecation habits of Ursi

Subject: General Tech | July 18, 2013 - 01:26 PM |
Tagged: blackberry, fud

This story at Slashdot looks to be just the kind of FUD to spread to major news networks and talking heads everywhere, so before you get involved in the upcoming discussion know that this is how Blackberry, nee RIM, has always functioned.  POP3 and IMAP connections are not done over your BES as ActiveSync traffic and the classic Exchange interface of pre-BB10 were and if you are not using SSL or TLS then you should already know that your credentials are sent unencrypted; if you were not aware of this you should Google SSL and TLS to learn exactly what those security protocols are for.

In a corporate environment, traffic to and from the BES is encrypted actually much more secure than most email traffic over the net and for companies hosting their own BES all Blackberry did was provide direction for network traffic, though this did mean issues at RIM could and did interfere with email delivery.  If you had RIM host your BES, then obviously they had all your email credentials stored on a server they owned, though encrypted and not plain text, how else would the BES be able to push email from your Exchange server to your Blackberry.

For POP3 and IMAP traffic, RIM needs your credentials for the same reason, to be able to push email to your device instead of your device having to log into a server and pull email down.  ActiveSync is how the new Blackberry OS connects to your Exchange environment and utilizes the security designed specifically for that protocol and thus your login credentials are secured, this 'discovery' does not apply to that traffic.  On the other hand, if you are using non-ActiveSync email for your company, do not utilize SSL or TLS and created an email for your administrator account which is associated with a Blackberry ... you should be worried and frankly replaced by someone with a basic grasp of security.

images.jpg

"How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The continuing decline in desktop sales

Subject: General Tech | July 11, 2013 - 02:42 PM |
Tagged: fud, desktops, pc sales

For the fifth quarter in a row, traditional desktops and laptop have seen a decline in sales globally.  This mostly represents a shift in purchasing habits as opposed to an actual decline in the sales of electronics.  Desktops have declined in sales since laptops became much more affordable and a decent alternative for light users who have no need for a powerful desktop.  Now that tablets and smartphones are capable of providing the same experience to many users as a desktop or notebook, consumers are purchasing those devices which has lead to the perceived drop in sales.  No matter what the various talking heads may claim the desktop is not dead, no tablet on the planet can play Crysis nor will it handle SPSS.  Check out the comments at Slashdot for more entertaining thoughts on the supposed death of the desktop.

BBC_68667228_number_of_pc_sales_464.gif

"Global personal computer (PC) sales have fallen for the fifth quarter in a row, making it the 'longest duration of decline' in history. Worldwide PC shipments totalled 76 million units in the second quarter, a 10.9% drop from a year earlier, according to research firm Gartner. PC sales have been hurt in recent years by the growing popularity of tablets. Gartner said the introduction of low-cost tablets had further hurt PC sales, especially in emerging economies. 'In emerging markets, inexpensive tablets have become the first computing device for many people, who at best are deferring the purchase of a PC,' said Mikako Kitagawa, principal analyst at Gartner, said in a statement."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Beiber can be used for evil

Subject: General Tech | May 29, 2013 - 02:31 PM |
Tagged: cell phone, security, fud

If you are feeling safe and secure using your cellphone in public, some research out of the University of Alabama will shatter that confidence for you.  It seems that it is possible to use sound as a trigger to activate malware from a distance, even over low quality speakers.  You already know about Shazam and other apps you can use to identify songs simply by holding up your cellphone and have it successfully connect to a remote database to get the song data, even in a loud room.  This research shows that a previously infected phone could have dormant malware installed which can be remotely activated simply by music with a hidden message contained within it, inaudible to human ears.  Pair this with the known Autoconnect to Saved WiFi Profiles vulnerability and your phone could very easily start leaking information you would much rather keep private.   Follow the links from The Register to read the research paper and reactions to it.

shazam-iphone-android-app1-209x300.jpg

"Security researchers have discovered that specific music, lighting, vibrations or magnetic fields could all be used as infection channels to trigger the activation of mobile malware on a massive scale.

The paper, titled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices, was presented in the eastern Chinese city of Hangzhou earlier this month by researchers at the University of Alabama at Birmingham (UAB)."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

A second tale of doom and gloom for the PC market

Subject: General Tech | April 15, 2013 - 02:53 PM |
Tagged: fud, sales

Last week we saw a report describing the downturn in PC sales and it has been repeated today in a report from Gartner.  With a global decline of sales this quarter totalling over 10% compared to the first quarter of 2012 the trend of falling PC sales continues for the fourth quarter in a row.  It seems that tablets and smartphones are making headway into the market and many people who would have purchased an inexpensive TV for surfing and other light-duty tasks are satisfied with a smaller mobile device.  In the US the decline was a hair under 10% and only Apple and Lenovo showed any growth.  Get the full global breakdown at DigiTimes.

digi_sales.png

"Worldwide PC shipments totaled 79.2 million units in the first quarter of 2013, a 11.2% decline from the first quarter of 2012, according to Gartner. Global PC shipments went below 80 million units for the first time since the second quarter of 2009. All regions showed a decrease in shipments, with the EMEA region experiencing the steepest decline."

Here is some more Tech News from around the web:

Tech Talk

Source: DigiTimes