What did we just tell you about bloatware?! Now ASUS Live Update is the risk of the day

Subject: General Tech | June 6, 2016 - 02:26 PM |
Tagged: asus, bloatware, security

After last week when several laptop OEMs, including Lenovo once again, were caught installing highly insecure bloatware on their laptop you might hope that this week would be different.  Sadly you would be mistaken as once again software preinstalled on laptops is in the news.  In this case it is ASUS Live Update which transmits requests for updates in plain text and does not check any software updates which come back for authenticity.  This of course leaves you wide open for man in the middle attacks, where someone posing as those update servers could feed you whatever installation files they desired.  As the pull quote from The Inquirer below states, removing it immediately would be a very good idea.

a6e6087353a6c593afc6327b758650a6.jpg

"My advice to anyone who purchased an Asus device: remove LiveUpdate. It's really that simple. If you're an IT administrator, find devices making periodic calls to Asus's domains and blackhole them, get the user to come and see you,"

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

A Potentially More Harmful Coil Whine Issue

Subject: General Tech | June 5, 2016 - 02:18 PM |
Tagged: security, Cyber Security, coil whine

As new hardware launches, many readers ask whether they produce any noticeable form of coil whine. For instance, this is an issue for graphics cards that are outputting a very high frame rate. The electronics create sound from the current oscillating as it flows through them. It can also be an issue for motherboards or power supplies as well. You can check out this fairly old video from LinusTechTips for a demonstration.

acm-2016-mic.jpg

Image Credit: ACM

It turns out that, because this whine is related to the signal flowing through the oscillating circuit, security researchers are looking into the types of information that can be inferred from the whine. In particular, the Association for Computing Machinery (ACM) published a paper called Physical Key Extraction Attacks on PCs. It discusses several methods of attacking a device, such as reading minor fluctuations in its grounding plug or monitoring induced radiation with an antenna. Its headlining method is “Acoustic” though, which listens to coil whine sound produced by the computer, as it decrypts RSA messages that are sent to it, to gather the RSA secret key from it.

While they have successfully demonstrated the attack using a parabolic microphone at 33ft away, and a second demonstration using a mobile phone at 1ft away, the news should be taken with a grain of salt. Mostly, it's just interesting to realize that there's nothing really special about a computer. All it does is stores and processes data on whatever physical state we have available in the world. Currently, that's almost always radio-frequency radiation flowing through semiconductors. Whatever we use will have consequences. For instance, as transistors get smaller, to push more complex signals through a given surface area and power, we'll eventually run out of atoms.

This is just another, often forgotten side-effect: electric signals induce the transfer of energy. It could be electromagnetic, acoustic, or even thermal. In the realm of security, this could, itself, carry some of the data that we attached to our world's state, and allow others to access it (or sometimes modify it) without our knowledge or consent.

Just say no to Accelerator support applications; yet another Lenovo vulnerability

Subject: General Tech | June 3, 2016 - 04:10 PM |
Tagged: Lenovo, security, idiots, superfish

At some point they may learn but obviously not yet as Lenovo's Accelerator support application opens two vulnerabilities for systems with the application installed.  As it uses unencrypted transmissions during the update process and does not verify the application you receive you are vulnerable to man in the middle attacks.  There are 6 notebooks and 25 desktop lines with this issue, although ThinkPads and ThinkStations are not on the list.  If you have the software you should remove it immediately.  More over at The Register.

lenovo-03.jpg

"Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Great, everyones bloatware is making your new system vulnerable

Subject: General Tech | June 1, 2016 - 01:08 PM |
Tagged: security, Lenovo, hp, dell, crapware, asus, acer

We take a quick break from telling you about all the shiny new things you can't have yet to inform you about problems with things you do have.  Bloatware is awful but continues to be popular for sellers of prebuilt systems, both mobile and desktop.  It is not just the pop ups telling you to buy the full version of whatever was installed on your system before you bought it, nor the CPU cycles these programs take up; the issue is security.  Lenovo and the Superfish issue were in the news recently and now it seems that vulnerabilities have been found in systems sold by Acer, ASUS and Dell as well.  10 devices were tested by Duo Security, all of which had vulnerabilities.  Dell and Lenovo had a single problem each, ones which we are already familiar with sadly while Acer and HP both have a pair.  You can read about what the vulnerabilities are over at The Inquirer, something to do while you reimage your new machine.

18mn6i2no8y9mjpg.jpg

"Duo Security identified 12 vulnerabilities across the vendors' machines. We have approached all of them to see whether they are happy to talk about the problems, which Duo described as significant."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

So long WiFi Sense, don't let the door hit you ...

Subject: General Tech | May 11, 2016 - 01:26 PM |
Tagged: wifi sense, security, microsoft

Here is an update we can get behind!  Windows 10 Build 14342 will no longer have WiFi Sense, that bizarre feature which Microsoft added which would pass on any of your stored WiFi passwords to your contacts as well as overriding your preferred network if one of your contacts signals was available.  This caused a certain amount of alarm as you might not trust every contact you might have on Outlook.com with your WiFi password nor trust their WiFi networks.  The blather about high cost and low demand is an interesting cover for changing their minds, regardless it is good to see it go.  There were a couple of other updates included in this release, check them out at The Inquirer.

2015-08-18_14-11-50.png

"We have removed the WiFi Sense feature that allows you to share WiFi networks with your contacts and to be automatically connected to networks shared by your contacts," explained Aul."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Psst Comrade! Want to buy some email account details cheap?

Subject: General Tech | May 4, 2016 - 12:39 PM |
Tagged: security

272.3 million is a big number and sadly it refers to the number of email accounts which have been affected by a recent data breach.  The vast majority of the accounts are from Russia's Mail.ru but Yahoo accounts for 15%, Hotmail 12% and Gmail 9% of the leak.  With 50 rubles and the right connections you can have the email addresses and passwords of a very large number of people.  Sadly, The Inquirer also heard that this collection includes details of user accounts of US banking, manufacturing and retail companies.  When you are changing your passwords today, try to avoid obvious Star Wars references.

7449344_m.jpg

"Reuters has the scoop, having heard from Alex Holden, founder and chief information security officer of Hold Security - and the man who last year uncovered the largest data breach to date - that the details of 272.3 million stolen accounts are being traded."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Patch 'em if you got 'em; 40 Google patches for you

Subject: General Tech | May 3, 2016 - 02:09 PM |
Tagged: Android, google, security

Assuming your service provider is not one of those who block Google's patches from coming to you directly you should probably charge up that device, get on WiFi  and check your available updates.  Any Google device running 4.4.4 or newer, including Nexus devices, will have up to 40 patches to slurp up.  Many of the patches are for a vulnerability similar to the previous Stagefright exploit, apps can use the drivers from Qualcomm and NVIDIA to break into the Qualcomm TrustZone on unpatched devices.  The Register provides a full list of the patches which are being pushed to Nexus and Android One devices.

android versions.PNG

"Google has today issued a bundle of 40 security patches for its Android operating system.

A dozen of the fixes correct critical vulnerabilities in versions 4.4.4 of the operating system and above. About 74 per cent of in-use Android devices run Android 4.4.4 or higher."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 01:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Oh snap, old phones and new IoT devices just sprung another leak

Subject: General Tech | March 15, 2016 - 01:11 PM |
Tagged: snapdragon, qualcomm, security, iot

TrendMicro discovered vulnerabilities in the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 on devices running a 3.10-version kernel.  They have privately discussed the issue with Google who have since pushed out updates to resolve these issues on their phones, preventing attackers from gaining root access with a specially crafted app.  Unfortunately that is the tip of the iceberg as according to Qualcomm more than a billion devices use Snapdragon processors or modems, many of them IoT devices which have not had this update.  With the already fragmented market getting worse as everyone and their dog are now creating IoT devices the chances are very good that your toaster, fridge and other random internet connected devices are vulnerable and will remain so. 

You should think twice when considering the balance of convenience and security when you are purchasing internet connected household appliances and other IoT devices.  You can see what Slashdot readers think about this here if you so desire.

sd_processor_03.png

"Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

If you have a Trane thermostat you should update the firmware immediately

Subject: General Tech | February 9, 2016 - 01:30 PM |
Tagged: trane, iot, security

It is not a good sign when a security team refers to your smart thermostat as "a little malware store", especially when the flaws have been known for some time.  Indeed the original issue of hardcoded SSH passwords has been known since 2014 and the update took a year to be created.  Unfortunately most owners of a Trane Thermostat will not have upgraded their firmware, even if they knew about the update as it is not something which was installed remotely.  Instead you need to download the new firmware onto an SD card and manually install it on the thermostat.  Last month another update was released to address a remote code execution vulnerability in the ComfortLink II, which was not generally known until The Register posted about it today.  If you are using this device you should get an SD card handy and download the firmware.

1401223883460.png

"In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register