Just say no to Accelerator support applications; yet another Lenovo vulnerability

Subject: General Tech | June 3, 2016 - 08:10 PM |
Tagged: Lenovo, security, idiots, superfish

At some point they may learn but obviously not yet as Lenovo's Accelerator support application opens two vulnerabilities for systems with the application installed.  As it uses unencrypted transmissions during the update process and does not verify the application you receive you are vulnerable to man in the middle attacks.  There are 6 notebooks and 25 desktop lines with this issue, although ThinkPads and ThinkStations are not on the list.  If you have the software you should remove it immediately.  More over at The Register.

lenovo-03.jpg

"Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 05:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

New, from the company that brought you SuperFish ...

Subject: General Tech | January 26, 2016 - 05:13 PM |
Tagged: security, Lenovo, idiots

Lenovo chose the third most popular password of 2015 to secure its ShareIT for Windows application and for bonus points have made it hard coded, which there is utterly no excuse for in this day and age.  If you aren't familiar with the software, it is another Dropbox type app which allows you to share files and folders, apparently with anyone now that this password ridiculousness has been exposed.  As you read on at The Inquirer the story gets even better, files are transferred in the clear without any encryption and it even creates an open WiFi hotspot for you, to make sharing your files even easier for all and sundry.  There are more than enough unintentional vulnerabilities in software and hardware, we really don't need companies programming them in on purpose.  If you have ShareIT, you should probably DumpIT.

***Update***

We received word that there is an updated version of ShareIT available for those who do use the app and would like to continue to do so.

They can also access the latest versions which are posted and available for download on the Lenovo site. The updated Android version of SHAREit is also available for download on the Google Play store. Please visit the Lenovo security advisory page for the latest information and updates: (https://support.lenovo.com/us/en/product_security/len_4058)

10574265464_449a1b2b96_b.jpg

"HOLY COW! Lenovo may have lost its mind. The firm has created vulnerabilities in ShareIT that could be exploited by anyone who can guess that '12345678' could be a password."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

The Internet of Things loves to share

Subject: General Tech | November 26, 2015 - 05:22 PM |
Tagged: idiots, iot, security

You would think people would be be taken aback if someone suggested saving money by using the same key on every new house built in a neighbourhood, if so you don't work for companies developing hardware for the Internet of Things.  In a recent survey of  4,000 embedded devices from 70 hardware makers, Sec Consult found that many had the same hardwired SSH login keys and server-side SSL certificates.  The numbers they provided The Register were a total 580 private keys were found distributed over all the analyzed devices, of which at least 230 are in already in use on the internet.  To be fair this is not uncommon in consumer level firmware as companies do not even bother to check over the source code let alone change the security keys held within but it is a huge security risk.  For a glimpse at how bad some of these supposedly secure certs and keys are read on at The Register.

sec-consult-79037376.jpg

"Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Now they are coming for your dd-wrt

Subject: General Tech | August 31, 2015 - 08:48 PM |
Tagged: wireless router, idiots, dd-wrt

In the next installment of poorly planned out moves by a US government agency attempting to solve a problem that does not exist, we shall see an attempt to make illegal the modification of the firmware on any device which contains an radio.  This is likely to prevent you from using open source software to modify your wireless router into a death ray which will allow you to take over the planet. 

Specifically, it will make illegal the modification of any device which can broadcast on U-NII bands which happen to include the 5GHz bandwidth that WiFi broadcasts on.  While most firmware changes, such as dd-wrt only change the processor the routers are SoC's which means that the radio is technically a part of the same device as what you modify when applying custom firmware.  Hack a Day has links to the FCC proposal, you might want to consider emailing your congress critters about it.

ddwrt-alt-logo-large.jpg

"Because of the economics of cheap routers, nearly every router is designed around a System on Chip – a CPU and radio in a single package. Banning the modification of one inevitably bans the modification of the other, and eliminates the possibility of installing proven Open Source firmware on any device."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Hack a Day

What if a server OS died and no one cared

Subject: General Tech | July 10, 2015 - 04:41 PM |
Tagged: server 2003, microsoft, idiots, EoL

In a lack of foresight that will not take anyone working professionally in IT by surprise, 70% of business are ignoring the fact that Windows Server 2003 hits EoL next Tuesday.  The belief that what your clients don't know won't hurt them is endemic in the business world and this is yet more proof of that philosophy.  Most businesses sign agreements guaranteeing their clients data will be stored securely and using an unsupported OS over a decade old stretches the definition of secure storage far beyond the breaking point.  Your bank, your payroll company, your government, even your ISP and telephone provider are all likely to be guilty of this and you should be aware of that.  It does not mean that there will be a sudden outbreak of attacks next week, instead it will be a slow rise in the number of security breaches and leaks as more and more exploits are discovered and never patched.  The Inquirer does not have the numbers on how many companies are taking Microsoft's offer of support for Server 2003 beyond Tuesday for $600 per server but you can bet that the uptake is a tiny percentage of the 70%.   Much like the proverbial frog, people will not notice the slow rise in security breaches until the damage is already irreversible.

7wye3.gif

"WE'RE AT T-MINUS four days and counting, and a new survey suggests that as many as 70 percent of businesses are going to miss the deadline for upgrading from Windows Server 2003."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Roll over Superfish, PrivDog is just as bad but doesn't come directly from Comodo

Subject: General Tech | February 25, 2015 - 05:36 PM |
Tagged: SSL, security, PrivDog, idiots, fud, Comodo

This has been a bad week for the secure socket layer and the news just keeps getting worse.  Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider.  It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default.  Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones.  That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site. 

The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution.  The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.

Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.

picarddoublefacepalm.jpg

"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.

Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ignorance may be bliss but it will cost you $600 per Server 2003 installation

Subject: General Tech | February 17, 2015 - 05:27 PM |
Tagged: microsoft, server 2003, idiots, EoL

If you ever feel ignored when offering technical advice to executives or anyone ranking above you in your business then this statistic about Server 2003 that The Register quotes will come as no surprise, "47 percent of 1,000 Fortune 500 IT executives had no idea that end-of-life was coming".  Of course this does not signify that they were never told nor that Microsoft obfuscated the EoL date, it shows that they completely ignored the professionals that work for them and warned them.   Now they will have a choice, they can run servers that no longer receive security updates nor support from Microsoft or they can pay $600 per server for a year of extended support, with that amount likely increasing every year.  It does not make business sense to migrate to every new server or client platform that is released but postponing that upgrade for over a decade in the assumption that your supplier will never cut you out is bordering on idiocy.   Just to add to your frustration, none of those supposed IT executives are likely to be fired as a direct result of this poor planning and on the off chance one does leave; the severance they pick up will likely be worth more money than you have made since the release of Server 2003.

pic4.jpg

"MICROSOFT HAS PUT a price on extended support for servers running Windows Server 2003 after it reaches end-of-life this summer."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Steam for Linux will teach you the difference between backups and redundancy

Subject: General Tech | January 16, 2015 - 05:45 PM |
Tagged: steam, linux, idiots

If you move the Steam home directory of $STEAMROOT in Linux then you are running the risk of running rm -rf on your user directory, which in the case of this unfortunate person on Slashdot included their attached USB hard drive.  This is rather nasty bug and one which is easily avoidable by the use of proper syntax but unfortunately the command rm -rf "$STEAMROOT/"* contains an unnecessary / and without an error checking facility included if there is no $STEAMROOT directory the command run is rm -rf "/"*.  As it is in your home folder you do not even need to be running as root so for the time being it would be very wise to leave your Steam files in their default location and to realize that anything plugged into your machine is not a true backup until removed from your system.

download-1.jpg

"I launched steam. It did not launch, it offered to let me browse, and still could not find it when I pointed to the new location. Steam crashed. I restarted it. It re-installed itself and everything looked great. Until I looked and saw that steam had apparently deleted everything owned by my user recursively from the root directory. Including my 3tb external drive I back everything up to that was mounted under /media."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

There's one born every minute; the sound quality of different storage medium

Subject: General Tech | January 9, 2015 - 06:22 PM |
Tagged: monster, idiots, audiophile

Believe it or not there is a review out on the interwebs claiming that "'bit-identical' computer audio may well be just as inexplicably inconsistent as analogue."  In other words some hard drives and SSDs will produce better quality audio than others using the exact same audio file.  Two different QNAP NAS devices apparently produced differing audio signals which the writer claims to be able to discern.  Not only that but apparently different HDDs or SSDs inside the NAS also has an effect on the audio flavinoids and topology.  If that is not enough for you then keep reading the link from The Register as they also propose the theory that different types of RAID will change the cromulence of the audio signal as well and while they stop short of describing the audio cables which were used they did stoop so low as to use Belkin CAT6 instead of a product from Monster.  If you believe this and own a mains conditioner for your audio you should definitely let The Register know you are interested in their proposed AudioNAS kickstarter.

PT_Barnum_by_Eisenmann,_1885.jpg

"Is it April already? I really cannot tell from this post, which poses the question: "Is it really possible that the sound quality of bit-identical audio files is influenced by their storage medium before being delivered to the hi-fi system's DAC?"

Here is some more Tech News from around the web:

Tech Talk

Source: The Register