I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 01:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Oh snap, old phones and new IoT devices just sprung another leak

Subject: General Tech | March 15, 2016 - 01:11 PM |
Tagged: snapdragon, qualcomm, security, iot

TrendMicro discovered vulnerabilities in the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 on devices running a 3.10-version kernel.  They have privately discussed the issue with Google who have since pushed out updates to resolve these issues on their phones, preventing attackers from gaining root access with a specially crafted app.  Unfortunately that is the tip of the iceberg as according to Qualcomm more than a billion devices use Snapdragon processors or modems, many of them IoT devices which have not had this update.  With the already fragmented market getting worse as everyone and their dog are now creating IoT devices the chances are very good that your toaster, fridge and other random internet connected devices are vulnerable and will remain so. 

You should think twice when considering the balance of convenience and security when you are purchasing internet connected household appliances and other IoT devices.  You can see what Slashdot readers think about this here if you so desire.

sd_processor_03.png

"Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

If you have a Trane thermostat you should update the firmware immediately

Subject: General Tech | February 9, 2016 - 01:30 PM |
Tagged: trane, iot, security

It is not a good sign when a security team refers to your smart thermostat as "a little malware store", especially when the flaws have been known for some time.  Indeed the original issue of hardcoded SSH passwords has been known since 2014 and the update took a year to be created.  Unfortunately most owners of a Trane Thermostat will not have upgraded their firmware, even if they knew about the update as it is not something which was installed remotely.  Instead you need to download the new firmware onto an SD card and manually install it on the thermostat.  Last month another update was released to address a remote code execution vulnerability in the ComfortLink II, which was not generally known until The Register posted about it today.  If you are using this device you should get an SD card handy and download the firmware.

1401223883460.png

"In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Are you going to phish or cut clickbait?

Subject: General Tech | February 4, 2016 - 02:08 PM |
Tagged: security, google

Remember the thrill of finding the actual download button for the software you need, hidden on a webpage featuring at least four other large download buttons leading to unrelated and generally nasty software?  Well those horrible people at Google want to take that joy away from you!  Instead of practicing your skills at slapping the monkey, shooting the duck or pretending you are on an online version of Let's Make a Deal trying to pick the right download button to reveal the prize you want, they will present you with a bright red warning screen. 

For some reason those hacks over at The Inquirer think it is a good idea to take away the hours of time spent with your family, and all the interesting things that "just appeared" on their machines.

index.png

"Google is still chipping away at creating a secure online experience and has just unearthed a new element for safe browsing that stops click-happy idiots doing click-stupid things."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Next on the list of companies which should know better is Malwarebytes, but it is not as bad as some say

Subject: General Tech | February 3, 2016 - 12:46 PM |
Tagged: security, Malwarebytes

Considering the business that Malwarebytes is in you can expect to see a lot of negative press about a gaping security hole in the near future and while there is a vulnerability it is not as bad as many will make it out to be.  The issue lies in that signature updates are done over HTTP and are unsigned, very bad practice but something which would be exploited on a single client connection as opposed to something you could use to create a wide spread infection.  The Register links to the Google Project Zero entry which was released today as the vulnerability was first reported to Malwarebytes 90 days ago and has not been addressed on the client side.

The actual concern you should have is that the original bug report also found vulnerabilities on the server side.  Malwarebytes did correct the server side issues almost immediately but neglected to follow through on the client side.  It is good of them to patch and offer bug bounties but a complete follow through is necessary if you are a security software peddler who wants their reputation to stay intact.

mb-logo.png

"The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Sharing is good ... until it starts eating your bandwidth

Subject: General Tech | January 29, 2016 - 02:32 PM |
Tagged: security, isp, wifi

ISPs have stumbled onto a new money making venture, renting out your wireless internet connection to third parties so that those companies can provide public WiFi to their customers.  Sources told The Inquirer that some ISPs already do this without informing their customers and that it will likely be a common industry practice by 2017.  Theoretically you are allowed to opt out but since your ISP may not have told their users they are doing this; how would the average customer know to request this be turned off?

This raises several concerns, especially here in North America thanks to our pathetic internet services.  Most users have a data cap and the ISPs have little reason to spend resources to properly monitor who is using the bandwidth, their customers or random passersby.  As well the speeds of most customers are low enough that they may see degradation of their service if numerous passersby connect to their WiFi.  Putting the monetary concerns to the side there are also serious security concerns.  Once a user has access to your WiFi router they are most of the way into your network and services such as UPnP and unprotected ports leave you vulnerable to attack.

Change the password your provider put on the router and consider reaching out to them to find out if you have been unwillingly sharing your bandwidth already, or if you might be doing so in the near future.

index.png

"Companies are going to be selling a lot more public Wi-Fi plans over the next few years and it's going to be home Wi-Fi users who'll be the backbone of the network, according to analysts from Juniper Research."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ever been so sick of a song you considered veering off the road to make it stop?

Subject: General Tech | January 27, 2016 - 01:24 PM |
Tagged: Usenix Enigma, security, iot

The good news is that this particular bug has been addressed but it does not make the vulnerability any less terrifying.  A mere 18 seconds of playtime on a compromised audio CD in your car is enough to insert the attack code and gain complete control over your cars computer controlled systems.  This particular vulnerability was discovered in 2010, long before the more recent vulnerabilities you would have seen all over various media.  You could shut off the engines, forcibly unlock the doors, interfere with steering and many other functions that could well cause serious damage at highway speeds or in other scenarios. 

When placing the blame, The Inquirer makes sure to point out that you should not look to the car companies as it is the software providers who are the source of the problem.  Thanks to various corporate policies no car company has access to all of the source code running in their products so a security audit will not help.  Even better is the inclusion of a government-mandated OBD-II port which allows complete control over your cars system; which you should not touch as simply plugging into it would be a crime in the USA.  There is some good news, this vulnerability resulted in Fiat Chrysler recalling 1.4 million cars at a cost of about a quarter of a billion dollars ... an expensive mistake that may convince them to change their software implementation processes.

enigma_logo_700x253.png

"The modern car's operating system is such a mess that researchers were once able to get complete control of a vehicle by playing a song laced with malicious code. Malware encoded in the track was executed after the file was loaded from a CD and processed by a buggy parser."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

New, from the company that brought you SuperFish ...

Subject: General Tech | January 26, 2016 - 12:13 PM |
Tagged: security, Lenovo, idiots

Lenovo chose the third most popular password of 2015 to secure its ShareIT for Windows application and for bonus points have made it hard coded, which there is utterly no excuse for in this day and age.  If you aren't familiar with the software, it is another Dropbox type app which allows you to share files and folders, apparently with anyone now that this password ridiculousness has been exposed.  As you read on at The Inquirer the story gets even better, files are transferred in the clear without any encryption and it even creates an open WiFi hotspot for you, to make sharing your files even easier for all and sundry.  There are more than enough unintentional vulnerabilities in software and hardware, we really don't need companies programming them in on purpose.  If you have ShareIT, you should probably DumpIT.

***Update***

We received word that there is an updated version of ShareIT available for those who do use the app and would like to continue to do so.

They can also access the latest versions which are posted and available for download on the Lenovo site. The updated Android version of SHAREit is also available for download on the Google Play store. Please visit the Lenovo security advisory page for the latest information and updates: (https://support.lenovo.com/us/en/product_security/len_4058)

10574265464_449a1b2b96_b.jpg

"HOLY COW! Lenovo may have lost its mind. The firm has created vulnerabilities in ShareIT that could be exploited by anyone who can guess that '12345678' could be a password."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Know anyone who uses the Intel Driver Update Utility? Update the updater ASAP

Subject: General Tech | January 21, 2016 - 12:52 PM |
Tagged: Intel, intel driver update utility, security

The Intel Driver Update Utility is not the most commonly found application on PCs but someone you know may have stumbled upon it or had it installed by Geek Squad or the local equivalent.  Since Windows Vista the tool has been available, it checks your system for any Intel parts, from your APU to your NIC and then looks for any applicable drivers that are available.  Unfortunately it was doing so over a non-SSL URL which leaves the utility wide open to a man in the middle attack and you really do not want a compromised NIC driver.  The Inquirer reports today that Intel quietly updated the tool on January 19th to resolve the issue, ensuring all communication and downloads are over SSL.  If you know anyone using this tool, recommend they update it immediately.

intel-driver-update.jpg

"Intel has issued a fix for a major security vulnerability in a driver utility tool that could have allowed a man-in-the-middle attack and a malware maelstrom on victims' computers."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Just fondle your mouse to log into Windows?

Subject: General Tech | January 20, 2016 - 12:19 PM |
Tagged: fingerprint, synaptics, ironveil, security

Synaptics, the company most likely responsible for the trackpad on your laptop has released a new product, a 4x10mm fingerprint sensor which goes by the name of IronVeil.  The idea behind the product is to incorporate it into peripherals and pair it with Windows Passport to allow you to log in by touching your mouse or keyboard, similar to the current generation of cellphones.  Synaptics also suggests it could be used in eSports to ensure that the person behind the mouse is indeed who they claim to be.  The Tech Report tried out a Thermaltake Black V2 mouse with the sensor embedded and talk about their experiences with the mouse as well as introduce you to the FIDO Alliance and some of the authentication process which occurs behind the scenes in their recent article.

One cannot help but point out that while passwords can be hashed and salted, the same cannot be said for fingerprints which leads us back to previously mentioned concerns about the security of the online storage databases these prints would be stored in.  The eternal battle of convenience versus security rages on.

Synaptics-IronVeil-Specs.png

"Synaptics' IronVeil is a tiny fingerprint sensor module that serves as the foundation for a variety of new authentication techniques for home and business users alike. We've spent a couple weeks with a pre-production IronVeil mouse, and we've explored how it might be used in practice."

Here is some more Tech News from around the web:

Tech Talk