To read this story just post your first pet's name and the first address you remember living at in the comments

Subject: General Tech | September 21, 2016 - 01:11 PM |
Tagged: security, idiots

David Hannum underestimated humanity greatly when he claimed a sucker was born every minute, we are now up to one every 15 seconds and accelerating.  Online scammers continue doing what they are doing because it works, even those who should know better regularly share personal details online which make scammers lives much easier.  It is not just those suspicious phone calls, texts or websites; many people's social media feeds are a cornucopia of personal information which allow scammers to profit off of your money.  The problem is only getting worse, in the UK The Register reports that losses in 2015 were £755m, 26% more than 2014.  A quick search reveals that the trend applies to the US as well

You've heard it before and will hear it again, take a second to ask yourself if you really should be sharing what you are about to post before you send it.

18900000_PT_Barnum_Commercial_Image2.jpg

"Between January and June 2016 there were 1,007,094 fraud cases in the UK compared to 660,308 in the first six months of 2015. Each case represents a card or account attacked, not an individual person."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

ARM's new security focused Cortex R-52 for IoT

Subject: General Tech | September 20, 2016 - 01:20 PM |
Tagged: arm, iot, cortex r52, r-52, cortex, security

ARM's new Cortex R-52 replaces the aging R-5 and they report that it will run 14 times faster than the model it replaces.  It is also the first ARMv8-R based product they have released, it supports hypervisor instructions as well as additional unspecified safety features.  They are aiming for medical applications as well as vehicles, markets which are currently plagued by insecure software and hardware.  In many cases the insecurity stems from companies using the default software settings in their products, often due to ignorance as opposed to malice and ARM intends their default settings to be far more secure than current SOCs.  Unfortunately this will not help with those who use default passwords and ports but it is a step in the right direction.  Pop over to The Inquirer for more information.

CortexR Launch Deck-17_575px.png

"The Cortex R-52 has been five years in development and is engineered to meet new safety standards as ARM takes aim at the growing market of large-scale smart devices, such as surgical robots and self-driving cars."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

If you thought IoT security was already bad ...

Subject: General Tech | September 7, 2016 - 12:25 PM |
Tagged: iot, security, ssh, idiots

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates.  Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly.  Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself.  This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network.  As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

289B6CBB00000578-3079152-image-m-10_1431495618447.jpg

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Backdoors are bad Microsoft; hadn't this become very obvious already?

Subject: General Tech | August 11, 2016 - 12:48 PM |
Tagged: Secure Boot, microsoft, backdoor, security

Yes, even though this occurs on a regular occasion, we are to be shocked that another secret backdoor into a security product has been discovered, exploited and published.  In this case it is Microsoft's Secure Boot which has been unlocked and even better news is that it probably cannot be completely repaired without rendering previous backups and installations incompatible.  On the positive side, devices which are locked down even for those with administrative privileges such as ARM-based Windows RT tablets can be unlocked and you can chose a different OS to install.  The negatives will have more of an effect on businesses and system builders who relied on it to prevent modified Windows installs from booting, preventing infections and questionably sourced Windows images from being used. 

The Register has links to more information on Secure Boot and Microsoft's response and you can read some information about the group which found and released the information about this over at The Inquirer.

clip_image0022.png

"Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

You can run your RX 480 on Linux kernel 4.7

Subject: General Tech | July 25, 2016 - 01:12 PM |
Tagged: linux, kernel 4.7, security, rx 480, LoadPin

For now we are awaiting the benchmarks but with the release of this new kernel, Linux users will be able to run the new RX 480 from AMD.  The new kernel also contains a new security feature called LoadPin which ensures that kernel-loaded files come from within the same file system in an attempt to maintain security without requiring each file to be individually signed.  There were also some improvements made to network drivers along with several other changes which The Inquirer covers in their own unique manner.

linuxkernel.jpg

"Despite it being two weeks since RC7, the final patch wasn't all that big and much of it is trivial one- and few-liners. There's a couple of network drivers that got a bit more loving."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Ya, so our IoT enabled toasters need patching ... oh, only around 5 million, why is that a problem?

Subject: General Tech | July 20, 2016 - 12:45 PM |
Tagged: iot, security, amazon, Intel

The Register brings up the issue of IoT security once again today, this time looking at the logistics of patching and updating a fleet of IoT devices.  Amazon is focusing on dumb devices with a smart core, the physical device having the sensors required and a connection to the net to send all data to be processed in large database which would be much easier to maintain but does offer other security issues.  Intel on the other hand unsurprisingly prefers end devices with some smarts, such as their Curie and Edison modules, with a smarter gateway device sitting between those end devices and the same sort of large server based computing as Amazon. 

Intel's implementation may be more effective in certain enviroments than Amazons, El Reg uses the example of an oil rig, but would be more expensive to purchase and maintain.  Take a look at the article for a deeper look, or just imagine the horrors of pushing out a critical patch to 1000's of devices in an unknown state when you go live.

talkie-toaster.jpg

"Internet of Things (IoT) hype focuses on the riches that will rain from the sky once humanity connects the planet, but mostly ignores what it will take to build and operate fleets of things.

And the operational side of things could be hell."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Linux on a highway, I wanna ride it all night long

Subject: General Tech | July 14, 2016 - 01:28 PM |
Tagged: linux, iot, security, Automotive Grade Linux

Has the almost obscene lack of security in automobile software made you somewhat paranoid, even if you trust the Tesla autopilot?  Has the fact that a mere attempt to access your cars software could land you in jail turned you completely off of buying a car less than 10 years old?

How would you feel about a version of Linux controlling some of the features of your car?  That is exactly what the Linux Foundation is working on with the AGL project.  The hardware used will include DragonBoard, Wandboard, and Raspberry Pi and automobile manufacturers joining the project include  Ford, Subaru, Mazda, Mitsubishi, Toyota, Nissan, and Jaguar Land Rover.  So far the project only encompasses in-car entertainment but it does have the potential to grow beyond that.  Check out the story on Linux.com for more.

Automotive-Grade-Linux.jpg

"The Linux Foundation’s Automotive Grade Linux (AGL) project, which is developing a “Linux-based, open platform for the connected car,” announced the release of the second version of its Unified Code Base (UCB) distribution for in-vehicle infotainment (IVI)."

Here is some more Tech News from around the web:

Tech Talk

Source: Linux.com

Yes, some of your users phones are infected

Subject: General Tech | July 5, 2016 - 12:32 PM |
Tagged: security, Malware

Managing mobile devices in an enterprise environment is a nightmare, even with properly set up security polices and some sort of Mobile Device Manager.  Security firm Skycure recently estimated one in every 200 devices is infected with some form of malware, which seems a bit low especially considering that some the devices tested had 290 apps installed.  Infections of Android devices are most common but do not think for a moment that your iOS device is safe, it may only be half as likely to be compromised but it does indeed have serious vulnerabilities as well.  Drop by The Register for a look at the numbers of bad apps on various stores.

36e22fe6de9f2cf7acc3a2e1ced5f9e5.png

"Researchers found enterprises have three unique infection instances with devices sporting an eye-watering average of 290 apps a piece."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

More Examples of Why AV Software Can Be Bad

Subject: General Tech | July 5, 2016 - 02:13 AM |
Tagged: symantec, security

I know that I've mention this in the past, and I'm not advocating running no antivirus software, but it's good to remember that you're using high-privileged software to load untrusted data. While mistakes can happen in any reasonably complex software, some companies are more complacent than others, and some design choices fail to respect the trust you have in them. Symantec, as far as I know, has one of the better reputations of security companies, but this flaw is terrible.

fry-not-sure-if.jpg

Basically, to detect malware that has been obfuscated by executable compression, antivirus software unpacks it themselves and looks. Symantec's solution runs in the kernel, allowing any malware that targets it to have kernel permissions. They were also using “at least” seven-year-old forks of open source libraries. Well... crap.

The bugs have been privately disclosed to Symantec, and fixed before Google went public. If you have any Symantec, or their consumer brand, Norton, software, then make sure it's up to date. Consumer software will have the fix pushed through LiveUpdate, but some some products, like Symantec Endpoint Protection and Symantec Protection for SharePoint Servers might require administrator action.

Source: Google

Doctor, treat thyself .. or at least the hospital please

Subject: General Tech | June 29, 2016 - 01:36 PM |
Tagged: hospital, security, winxp, Malware

For the past few years we have heard about some rather horrific security vulnerabilities in hospitals and sadly this has not changed at all.  Indeed many hospitals are still on older, unsupported OSes such as WinXP that most security software no longer protects against the malware which was used.  In one case a hospital using centralised intrusion detection software, updated endpoint protection, and new model firewall was still compromised using very old malware. In most of the cases described by The Register it was personal data and medical records which were compromised but that doesn't mean the medical appliances and physical security systems are not also vulnerable to attack.

2011-06-23-gaza-il-e-02347.jpg

"Attackers have popped three prominent US hospitals, using deliberately ancient malware so old that it slips under the radar of modern security controls to compromise Windows XP boxes and gain network beacheads."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register