Are you going to phish or cut clickbait?

Subject: General Tech | February 4, 2016 - 02:08 PM |
Tagged: security, google

Remember the thrill of finding the actual download button for the software you need, hidden on a webpage featuring at least four other large download buttons leading to unrelated and generally nasty software?  Well those horrible people at Google want to take that joy away from you!  Instead of practicing your skills at slapping the monkey, shooting the duck or pretending you are on an online version of Let's Make a Deal trying to pick the right download button to reveal the prize you want, they will present you with a bright red warning screen. 

For some reason those hacks over at The Inquirer think it is a good idea to take away the hours of time spent with your family, and all the interesting things that "just appeared" on their machines.

index.png

"Google is still chipping away at creating a secure online experience and has just unearthed a new element for safe browsing that stops click-happy idiots doing click-stupid things."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Next on the list of companies which should know better is Malwarebytes, but it is not as bad as some say

Subject: General Tech | February 3, 2016 - 12:46 PM |
Tagged: security, Malwarebytes

Considering the business that Malwarebytes is in you can expect to see a lot of negative press about a gaping security hole in the near future and while there is a vulnerability it is not as bad as many will make it out to be.  The issue lies in that signature updates are done over HTTP and are unsigned, very bad practice but something which would be exploited on a single client connection as opposed to something you could use to create a wide spread infection.  The Register links to the Google Project Zero entry which was released today as the vulnerability was first reported to Malwarebytes 90 days ago and has not been addressed on the client side.

The actual concern you should have is that the original bug report also found vulnerabilities on the server side.  Malwarebytes did correct the server side issues almost immediately but neglected to follow through on the client side.  It is good of them to patch and offer bug bounties but a complete follow through is necessary if you are a security software peddler who wants their reputation to stay intact.

mb-logo.png

"The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Sharing is good ... until it starts eating your bandwidth

Subject: General Tech | January 29, 2016 - 02:32 PM |
Tagged: security, isp, wifi

ISPs have stumbled onto a new money making venture, renting out your wireless internet connection to third parties so that those companies can provide public WiFi to their customers.  Sources told The Inquirer that some ISPs already do this without informing their customers and that it will likely be a common industry practice by 2017.  Theoretically you are allowed to opt out but since your ISP may not have told their users they are doing this; how would the average customer know to request this be turned off?

This raises several concerns, especially here in North America thanks to our pathetic internet services.  Most users have a data cap and the ISPs have little reason to spend resources to properly monitor who is using the bandwidth, their customers or random passersby.  As well the speeds of most customers are low enough that they may see degradation of their service if numerous passersby connect to their WiFi.  Putting the monetary concerns to the side there are also serious security concerns.  Once a user has access to your WiFi router they are most of the way into your network and services such as UPnP and unprotected ports leave you vulnerable to attack.

Change the password your provider put on the router and consider reaching out to them to find out if you have been unwillingly sharing your bandwidth already, or if you might be doing so in the near future.

index.png

"Companies are going to be selling a lot more public Wi-Fi plans over the next few years and it's going to be home Wi-Fi users who'll be the backbone of the network, according to analysts from Juniper Research."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ever been so sick of a song you considered veering off the road to make it stop?

Subject: General Tech | January 27, 2016 - 01:24 PM |
Tagged: Usenix Enigma, security, iot

The good news is that this particular bug has been addressed but it does not make the vulnerability any less terrifying.  A mere 18 seconds of playtime on a compromised audio CD in your car is enough to insert the attack code and gain complete control over your cars computer controlled systems.  This particular vulnerability was discovered in 2010, long before the more recent vulnerabilities you would have seen all over various media.  You could shut off the engines, forcibly unlock the doors, interfere with steering and many other functions that could well cause serious damage at highway speeds or in other scenarios. 

When placing the blame, The Inquirer makes sure to point out that you should not look to the car companies as it is the software providers who are the source of the problem.  Thanks to various corporate policies no car company has access to all of the source code running in their products so a security audit will not help.  Even better is the inclusion of a government-mandated OBD-II port which allows complete control over your cars system; which you should not touch as simply plugging into it would be a crime in the USA.  There is some good news, this vulnerability resulted in Fiat Chrysler recalling 1.4 million cars at a cost of about a quarter of a billion dollars ... an expensive mistake that may convince them to change their software implementation processes.

enigma_logo_700x253.png

"The modern car's operating system is such a mess that researchers were once able to get complete control of a vehicle by playing a song laced with malicious code. Malware encoded in the track was executed after the file was loaded from a CD and processed by a buggy parser."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

New, from the company that brought you SuperFish ...

Subject: General Tech | January 26, 2016 - 12:13 PM |
Tagged: security, Lenovo, idiots

Lenovo chose the third most popular password of 2015 to secure its ShareIT for Windows application and for bonus points have made it hard coded, which there is utterly no excuse for in this day and age.  If you aren't familiar with the software, it is another Dropbox type app which allows you to share files and folders, apparently with anyone now that this password ridiculousness has been exposed.  As you read on at The Inquirer the story gets even better, files are transferred in the clear without any encryption and it even creates an open WiFi hotspot for you, to make sharing your files even easier for all and sundry.  There are more than enough unintentional vulnerabilities in software and hardware, we really don't need companies programming them in on purpose.  If you have ShareIT, you should probably DumpIT.

***Update***

We received word that there is an updated version of ShareIT available for those who do use the app and would like to continue to do so.

They can also access the latest versions which are posted and available for download on the Lenovo site. The updated Android version of SHAREit is also available for download on the Google Play store. Please visit the Lenovo security advisory page for the latest information and updates: (https://support.lenovo.com/us/en/product_security/len_4058)

10574265464_449a1b2b96_b.jpg

"HOLY COW! Lenovo may have lost its mind. The firm has created vulnerabilities in ShareIT that could be exploited by anyone who can guess that '12345678' could be a password."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Know anyone who uses the Intel Driver Update Utility? Update the updater ASAP

Subject: General Tech | January 21, 2016 - 12:52 PM |
Tagged: Intel, intel driver update utility, security

The Intel Driver Update Utility is not the most commonly found application on PCs but someone you know may have stumbled upon it or had it installed by Geek Squad or the local equivalent.  Since Windows Vista the tool has been available, it checks your system for any Intel parts, from your APU to your NIC and then looks for any applicable drivers that are available.  Unfortunately it was doing so over a non-SSL URL which leaves the utility wide open to a man in the middle attack and you really do not want a compromised NIC driver.  The Inquirer reports today that Intel quietly updated the tool on January 19th to resolve the issue, ensuring all communication and downloads are over SSL.  If you know anyone using this tool, recommend they update it immediately.

intel-driver-update.jpg

"Intel has issued a fix for a major security vulnerability in a driver utility tool that could have allowed a man-in-the-middle attack and a malware maelstrom on victims' computers."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Just fondle your mouse to log into Windows?

Subject: General Tech | January 20, 2016 - 12:19 PM |
Tagged: fingerprint, synaptics, ironveil, security

Synaptics, the company most likely responsible for the trackpad on your laptop has released a new product, a 4x10mm fingerprint sensor which goes by the name of IronVeil.  The idea behind the product is to incorporate it into peripherals and pair it with Windows Passport to allow you to log in by touching your mouse or keyboard, similar to the current generation of cellphones.  Synaptics also suggests it could be used in eSports to ensure that the person behind the mouse is indeed who they claim to be.  The Tech Report tried out a Thermaltake Black V2 mouse with the sensor embedded and talk about their experiences with the mouse as well as introduce you to the FIDO Alliance and some of the authentication process which occurs behind the scenes in their recent article.

One cannot help but point out that while passwords can be hashed and salted, the same cannot be said for fingerprints which leads us back to previously mentioned concerns about the security of the online storage databases these prints would be stored in.  The eternal battle of convenience versus security rages on.

Synaptics-IronVeil-Specs.png

"Synaptics' IronVeil is a tiny fingerprint sensor module that serves as the foundation for a variety of new authentication techniques for home and business users alike. We've spent a couple weeks with a pre-production IronVeil mouse, and we've explored how it might be used in practice."

Here is some more Tech News from around the web:

Tech Talk

It's fixed now but for a while there your Ring let people into more than just the door

Subject: General Tech | January 13, 2016 - 12:27 PM |
Tagged: ring, iot, security, gainspan

The Ring WiFi enabled video doorbell, with optional smartlock compatibility to let visitors in remotely, would also share your WiFi password to anyone who knew how to ask.  Just use a Torx screwdriver to pop the doorbell off, press the setup button on the back and connect to the Ring and you can get the networks SSID and PSK in plain text.  Thankfully Ring has pushed out an update to resolve this issue but it is a perfect demonstration of the abysmal security on IoT devices and the lack of any thought about security implications by users or makers of these new devices.  The Register also mentions the Fitbit Aria bathroom scale as being vulnerable in the exact same way as it also uses Gainspan wireless, though at least the scale is inside your house, not accessible to anyone wandering by.

ring.jpg

"Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Valve Comments on Christmas Security Issues

Subject: General Tech | December 30, 2015 - 11:48 PM |
Tagged: valve, steam, security, Privacy

On Christmas Day, Valve had a few hours of problems. Their servers were being overloaded by malicious traffic. The best analogy that I could provide would be a bad organization who sent a thousand people to Walmart, to do nothing but stand in the check-out line and ask the cashier about the time. This clogs up the infrastructure, preventing legitimate customers from making their transactions. This was often done after demanding a ransom. Don't pay? Your servers get clogged at the worst time.

steam-family.png

A little too much sharing...

There are two ways to counter-act a DDoS attack: add hardware or make your site more efficient.

When a website is requested, the server generates the page and sends it to the customer. This process is typically slow, especially for complicated sites that pull data from one or more database(s). It then feeds this data to partners to send to customers. Some pages, like the Steam Store's front page, are mostly the same for anyone who views it (from the same geographic region). Some pages, like your order confirmation page, are individual. You can save server performance by generating the pages only when they change, and giving them to relevant users from the closest delivery server.

Someone, during a 20-fold spike in traffic relative to the typical Steam Sale volume, accidentally started saving (caching) pages with private information and delivering them to random users. This includes things like order confirmation and contact information pages for whatever logged-in account generated them. This is pretty terrible for privacy. Again, it does not allow users to interact with the profiles of other users, just see the results that other users generated.

But this is still quite bad.

Users complained, especially on Twitter, that Valve should have shut down their website immediately. From my position, I agree, especially since attempting to make a purchase tells the web server to pull the most sensitive information (billing address, etc.) from the database. I don't particularly know why Valve didn't, but I cannot see that from the outside.

It's probably a simple mistake to make, especially since Valve seems to blame a third-party for the configuration issue. On the other hand, that also meant that Valve structured their website such that sensitive information is in the hands of third-parties to properly cache. That might have been necessary, depending on their browser compatibility requirements, but I would hope that it's something Valve restructures in the future. (For instance, have the caching server store the site's framework, and fill in the individual's data with a JavaScript request to another, uncached server.)

But again, I don't work there. I don't know the details.

Source: Valve

Sigh ... your Windows 10 device is probably only as secure as Microsoft's database

Subject: General Tech | December 29, 2015 - 02:13 PM |
Tagged: microsoft, windows 10, security

If your Windows 10 machine uses your Microsoft account as the login then your system's recovery key now resides on a Microsoft database in the cloud.  That recovery key is used in the file system encryption present on Windows 10 systems.  The backup is good news for people who find themselves with computer problems and need access to the key from a different machine, however this is also a huge security concern as your key could be stolen or demanded from Microsoft.  Follow the link from the Slashdot article to find out how to delete that back up recovery key and consider using a domain or workgroup style account as opposed to a Microsoft account to log into your machine.

advanced-boot-options.png

"The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot