'Learn to trust us, because we're not about to stop.'

Subject: Editorial, General Tech | September 29, 2015 - 07:30 PM |
Tagged: trust, security, rant, microsoft, metadata, fud

Privacy of any nature when you utilize a device connected to the internet is quickly becoming a joke and not a very funny one. Just to name a few, Apple tracks your devices, Google scans every email you send, Lenovo actually has two programs to track your usage and of course there is Windows 10 and the data it collects and sends.  Thankfully in some of these cases the programs which track and send your data can be disabled but the fact of the matter is that they are turned on by default.

The Inquirer hits the nail on the head "Money is simply a by-product of data." a fact which online sites such as Amazon and Facebook have known for a while and which software and hardware providers are now figuring out.  In some cases an informed choice to share personal data is made, but this is not always true. When you share to Facebook or post your Fitbit results to the web you should be aware you are giving companies valuable data, the real question is about the data and metadata you are sharing of which you are unaware of.

im_from_the_government_im_here_to_help.jpg

Should you receive compensation for the data you provide to these companies?  Should you always be able to opt out of sharing and still retain use of a particular service?  Perhaps the cost of utilizing that service is sharing your data instead of money?   There are a lot of questions and even a lot of different uses for this data but there is certainly no one single answer to those questions. 

Microsoft have been collecting data from BSoD's for decades and Windows users have all benefited from it even though there is no opt out for sending that data.  On the other hand is there a debt incurred towards Lenovo or other companies when you purchase a machine from them?  Does the collection of patterns of usage benefit Lenovo users in a similar way to the data generated by a Windows BSoD or does the risk of this monitoring software being corrupted by others for nefarious purposes outweigh any possible benefits?

3adb62458565e775daf44731fabf2b92.jpg

Of course this is only the tip of the iceberg, the Internet of Things is poised to become a nightmare for those who value their security, there are numerous exploits to track your cellphone that have nothing to do with your provider and that is only the tip of the iceberg.  Just read through the Security tag here on PCPer for more examples if you have a strong stomach.

Please, take some time to think about how much you value your privacy and what data you are willing to share in exchange for products and services.  Integrate that concern into your purchasing decisions, social media and internet usage.  Hashtags are nice, but nothing speaks as loudly as your money; never forget that.

"MICROSOFT HAS SPOKEN out about its oft-criticised privacy policies, particularly those in the newly released Windows 10, which have provoked a spike in Bacofoil sales over its data collection policies."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

PINs and Patterns are preferable after this Android 5 issue

Subject: General Tech | September 16, 2015 - 04:49 PM |
Tagged: hack, smartphone, Android, security

You can see in the video that The Register linked to that this particular vulnerability is neither quick nor elegant but it is most certainly effective.  By entering an extremely long string of digits into the password field, accomplished with multiple copies and pastes, while the camera app is active you can cause the lock screen application to crash on all but the newest version of Android 5.  Unfortunately the effect of that crash is to drop you onto the phones home screen, thus allowing complete access to the phone.  If you are running a version of Android 5 you should consider switching to a PIN or pattern unlock, at least for the time being.

sk.jpg

"If you've got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it's best to use a PIN or pattern to secure your lock-screen – because there's a trivial bypass for its password protection."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Intel is offering a much better deal than "Hack your car; go to jail"

Subject: General Tech | September 15, 2015 - 04:58 PM |
Tagged: security, Intel, hack

Intel is bucking the trend of FUD and overreaction when someone reveals a major flaw in a product that is on the market and are instead rewarding those who find ways to hack their automobiles.  As we have seen recently, remotely exploiting onboard software and causing a car to crash is no longer something only possible in the movies and it seems that Intel is far more interested in working towards secure solutions as opposed to the auto manufacturers reliance on lawsuits and security through obscurity.  Intel's Automotive Security Review Board is looking for bright minded individuals who will help bring PC style security to cars and is offering a free car (or cash equivalent) to the member who provides the best contribution.  Check out the links at The Register if you are interested.

48440-smartphone-outside-car-rwd.jpg.rendition.intel_.web_.576.324.jpg

"Intel is getting serious – dead serious, apparently – about car hacking. And nothing says serious like a prize giveaway. If you join Chipzilla's new Automotive Security Review Board and make all the right noises, you can win a free new ride."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Move over Twinkies and cockroaches; meet the unkillable cookie

Subject: General Tech | August 18, 2015 - 05:11 PM |
Tagged: super cookie, security

Congratulations, if you use Verizon, AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de Espantilde;a, Viettel Peru S.a.c., Vodafone NL or Vodafone Spain as your provider your browsing is being tracked and there is nothing you can do about it.  These providers have assigned your device a unique token which the provider injects into every HTTP request your device makes, the cookie is actually external to your device and so you have no way to remove it.  You will see targeted ads based on your browsing no matter how many times you remove cookies or even factory reset your phone.  Verizon has now made it an opt-out feature and The Register has been told that AT&T no longer injects the 'super cookie' into headers but based on businesses recent behaviour it is probably because they have found a better way to track you.

Screen-Shot-2013-09-15-at-9.09.53-AM.png

"At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Bad Google! That is not how you patch

Subject: General Tech | August 14, 2015 - 04:56 PM |
Tagged: google, stagefright, Android, security

So it would seem that the patch which Google rolled out and carriers have been pushing OTA is not going to be the last that we hear of Stagefright as the patch is not all that effective.  Stagefright is a vulnerability present on all 950 million devices running Android 2.2 to 5.1 and allows certain MMS to be able to execute code on your mobile device.  The recently released patch does not completely ameliorate this vulnerability, an MMS can still cause the library to crash, most likely just preventing you from using the application but possibly allowing other attacks to occur. 

Also of note is the monthly Android patches that Google is providing to various phone manufacturers who are supposed to be pushing them out.  As many Android users will have noticed, up to and including the staff at The Register, you may not have seen the flawed patch yet, let alone the update for the patch.

stagefright03.jpg

"Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed.

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

The Intel SMM bug is bad, but not that bad

Subject: General Tech | August 7, 2015 - 05:31 PM |
Tagged: fud, security, Intel, amd, x86, SMM

The SSM security hole that Christopher Domas has demonstrated (pdf)  is worrying but don't panic, it requires your system to be compromised before you are vulnerable.  That said, once you have access to the SMM you can do anything you feel like to the computer up to and including ensuring you can reinfect the machine even after a complete format or UEFI update.  The flaw was proven on Intel x86 machines but is likely to apply to AMD processors as well as they were using the same architecture around the turn of the millennium and thankfully the issue has been mitigated in recent processors.  Intel will be releasing patches for effected CPUs, although not all the processors can be patched and we have yet to hear from AMD.  You can get an over view of the issue by following the link at Slashdot and speculate on if this flaw was a mistake or inserted there on purpose in our comment section.

logo.png

"Security researcher Christopher Domas has demonstrated a method of installing a rootkit in a PC's firmware that exploits a feature built into every x86 chip manufactured since 1997. The rootkit infects the processor's System Management Mode, and could be used to wipe the UEFI or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Still not worried about security on the Internet of Things?

Subject: General Tech | August 4, 2015 - 05:13 PM |
Tagged: security, scary, iot

Likely you caught at least one news story on the remotely disabled Jeep recently, with the attackers able to control system ranging from annoying to life threatening.  If that didn't rustle your jimmies, how about a drug infusion system used in hospitals which can be remotely controlled?  It is not just that the pump can be used to cut off or overdose a patient on drugs, it is the abysmal security that was put onto the pump. Both telnet and FTP ports were left wide open, two very popular and effective routes into systems you shouldn't necessarily be in and port 8443 which the system uses shipped with a generic password which, like SOHO routers everywhere, was never changed after the pump was installed.  Overall an inexcusable affront to those who think about security and a terrifying glimpse into the utter incompetence of providers of devices which were never network connected until recently.  You can read more about the Hospira horror story at The Register.

Hospira-Inc-medical-drug-infusion-pumps.jpg

"The US Food and Drug Administration has told healthcare providers to stop using older drug infusion pumps made by medical technology outfit Hospira – because they can be easily hacked over a network."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Stagefright not causing butterflies anymore

Subject: General Tech | July 29, 2015 - 05:02 PM |
Tagged: google, stagefright, security

The Stagefright media player vulnerability on Android powered Nexus devices which allowed the possibility of running remotely execute code via an MMS containing a specially crafted media file.  It made headlines everywhere even though it is incredibly unlikely the bug was ever used in an attack.  Regardless, you no longer need to worry as Google has crafted a patch and has released it to the carriers.  You should keep an eye out this week and next for the update and if you do not see it apply you should reach out to your carrier.  More at The Inquirer.

stagefright-100598752-primary.idge_.png

"GOOGLE HAS SAID THAT THE STAGEFRIGHT PROBLEM is well in hand, and that it rushed to sort out the Android OS jitters before anything bad happened."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Don't go burning your motherboards but do be aware of this UEFI rootkit

Subject: General Tech | July 15, 2015 - 04:43 PM |
Tagged: uefi, security

Yet another revelation has come from the Hacking Team leak, a UEFI based rootkit which can infect computers and will survive AV scans and even a drive replacement.  The rootkit is designed specifically for the BIOS designed by Insyde which are found primarily in laptops; Dell and HP for example.  TrendMicro suggested to The Register that this rootkit could also infect AMIBIOS designed UEFI, the type you are familiar with from desktop motherboards but that has not been confirmed.  As well Trend Micro intimates that the rootkit could be installed remotely but so far the evidence suggests physical access is required ... as flashing a BIOS tends to do.  Using UEFI SecureFlash, or even flashing to the newest version will also remove the kit, although depending on the solution your motherboard uses you may see error messages about updating an unexpected or corrupt previous version.  Keep safe out there and maybe keep the Flash to your BIOS for now.

logo.jpg

"Hacking Team RCS spyware came pre-loaded with an UEFI (‬Unified Extensible Firmware Interface) ‪BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.‬"

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Hold the phones there Hola, you are making a profit off of my bandwidth?

Subject: General Tech | June 11, 2015 - 05:18 PM |
Tagged: security, vpn, hola, fud

If you are using the free VPN service from Hola you really need to find a different solution.  Not only has it been plagued with security vulnerabilities, some of which they have addressed and some of which even they admit still exist, you will also unwittingly be providing exit nodes and bandwidth for anonymous surfers.  To add insult to injury, those users pay $20/GB to Hola for use of your bandwidth and you will never see a penny of that.  Hola's ILuminati service allows you to surf the net anonymously by directing their traffic over anyone using the free VPN, or as they refer to it an unblocking service, so not only is your bandwidth being used, you have no idea what traffic is actually exiting through your VPN. 

That is pretty much the exact opposite of a private network and depending on what is being done and how well the traffic is monitored you could well find yourself embroiled in an investigation you had no idea you were opening yourself up to.  Check out  more on this story at The Register.

original.jpg

"Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register