Move over Twinkies and cockroaches; meet the unkillable cookie

Subject: General Tech | August 18, 2015 - 01:11 PM |
Tagged: super cookie, security

Congratulations, if you use Verizon, AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de Espantilde;a, Viettel Peru S.a.c., Vodafone NL or Vodafone Spain as your provider your browsing is being tracked and there is nothing you can do about it.  These providers have assigned your device a unique token which the provider injects into every HTTP request your device makes, the cookie is actually external to your device and so you have no way to remove it.  You will see targeted ads based on your browsing no matter how many times you remove cookies or even factory reset your phone.  Verizon has now made it an opt-out feature and The Register has been told that AT&T no longer injects the 'super cookie' into headers but based on businesses recent behaviour it is probably because they have found a better way to track you.

Screen-Shot-2013-09-15-at-9.09.53-AM.png

"At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Bad Google! That is not how you patch

Subject: General Tech | August 14, 2015 - 12:56 PM |
Tagged: google, stagefright, Android, security

So it would seem that the patch which Google rolled out and carriers have been pushing OTA is not going to be the last that we hear of Stagefright as the patch is not all that effective.  Stagefright is a vulnerability present on all 950 million devices running Android 2.2 to 5.1 and allows certain MMS to be able to execute code on your mobile device.  The recently released patch does not completely ameliorate this vulnerability, an MMS can still cause the library to crash, most likely just preventing you from using the application but possibly allowing other attacks to occur. 

Also of note is the monthly Android patches that Google is providing to various phone manufacturers who are supposed to be pushing them out.  As many Android users will have noticed, up to and including the staff at The Register, you may not have seen the flawed patch yet, let alone the update for the patch.

stagefright03.jpg

"Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed.

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

The Intel SMM bug is bad, but not that bad

Subject: General Tech | August 7, 2015 - 01:31 PM |
Tagged: fud, security, Intel, amd, x86, SMM

The SSM security hole that Christopher Domas has demonstrated (pdf)  is worrying but don't panic, it requires your system to be compromised before you are vulnerable.  That said, once you have access to the SMM you can do anything you feel like to the computer up to and including ensuring you can reinfect the machine even after a complete format or UEFI update.  The flaw was proven on Intel x86 machines but is likely to apply to AMD processors as well as they were using the same architecture around the turn of the millennium and thankfully the issue has been mitigated in recent processors.  Intel will be releasing patches for effected CPUs, although not all the processors can be patched and we have yet to hear from AMD.  You can get an over view of the issue by following the link at Slashdot and speculate on if this flaw was a mistake or inserted there on purpose in our comment section.

logo.png

"Security researcher Christopher Domas has demonstrated a method of installing a rootkit in a PC's firmware that exploits a feature built into every x86 chip manufactured since 1997. The rootkit infects the processor's System Management Mode, and could be used to wipe the UEFI or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Still not worried about security on the Internet of Things?

Subject: General Tech | August 4, 2015 - 01:13 PM |
Tagged: security, scary, iot

Likely you caught at least one news story on the remotely disabled Jeep recently, with the attackers able to control system ranging from annoying to life threatening.  If that didn't rustle your jimmies, how about a drug infusion system used in hospitals which can be remotely controlled?  It is not just that the pump can be used to cut off or overdose a patient on drugs, it is the abysmal security that was put onto the pump. Both telnet and FTP ports were left wide open, two very popular and effective routes into systems you shouldn't necessarily be in and port 8443 which the system uses shipped with a generic password which, like SOHO routers everywhere, was never changed after the pump was installed.  Overall an inexcusable affront to those who think about security and a terrifying glimpse into the utter incompetence of providers of devices which were never network connected until recently.  You can read more about the Hospira horror story at The Register.

Hospira-Inc-medical-drug-infusion-pumps.jpg

"The US Food and Drug Administration has told healthcare providers to stop using older drug infusion pumps made by medical technology outfit Hospira – because they can be easily hacked over a network."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Stagefright not causing butterflies anymore

Subject: General Tech | July 29, 2015 - 01:02 PM |
Tagged: google, stagefright, security

The Stagefright media player vulnerability on Android powered Nexus devices which allowed the possibility of running remotely execute code via an MMS containing a specially crafted media file.  It made headlines everywhere even though it is incredibly unlikely the bug was ever used in an attack.  Regardless, you no longer need to worry as Google has crafted a patch and has released it to the carriers.  You should keep an eye out this week and next for the update and if you do not see it apply you should reach out to your carrier.  More at The Inquirer.

stagefright-100598752-primary.idge_.png

"GOOGLE HAS SAID THAT THE STAGEFRIGHT PROBLEM is well in hand, and that it rushed to sort out the Android OS jitters before anything bad happened."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Don't go burning your motherboards but do be aware of this UEFI rootkit

Subject: General Tech | July 15, 2015 - 12:43 PM |
Tagged: uefi, security

Yet another revelation has come from the Hacking Team leak, a UEFI based rootkit which can infect computers and will survive AV scans and even a drive replacement.  The rootkit is designed specifically for the BIOS designed by Insyde which are found primarily in laptops; Dell and HP for example.  TrendMicro suggested to The Register that this rootkit could also infect AMIBIOS designed UEFI, the type you are familiar with from desktop motherboards but that has not been confirmed.  As well Trend Micro intimates that the rootkit could be installed remotely but so far the evidence suggests physical access is required ... as flashing a BIOS tends to do.  Using UEFI SecureFlash, or even flashing to the newest version will also remove the kit, although depending on the solution your motherboard uses you may see error messages about updating an unexpected or corrupt previous version.  Keep safe out there and maybe keep the Flash to your BIOS for now.

logo.jpg

"Hacking Team RCS spyware came pre-loaded with an UEFI (‬Unified Extensible Firmware Interface) ‪BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.‬"

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Hold the phones there Hola, you are making a profit off of my bandwidth?

Subject: General Tech | June 11, 2015 - 01:18 PM |
Tagged: security, vpn, hola, fud

If you are using the free VPN service from Hola you really need to find a different solution.  Not only has it been plagued with security vulnerabilities, some of which they have addressed and some of which even they admit still exist, you will also unwittingly be providing exit nodes and bandwidth for anonymous surfers.  To add insult to injury, those users pay $20/GB to Hola for use of your bandwidth and you will never see a penny of that.  Hola's ILuminati service allows you to surf the net anonymously by directing their traffic over anyone using the free VPN, or as they refer to it an unblocking service, so not only is your bandwidth being used, you have no idea what traffic is actually exiting through your VPN. 

That is pretty much the exact opposite of a private network and depending on what is being done and how well the traffic is monitored you could well find yourself embroiled in an investigation you had no idea you were opening yourself up to.  Check out  more on this story at The Register.

original.jpg

"Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

MSE the next generation; Windows 10 Device Guard

Subject: General Tech | April 24, 2015 - 01:55 PM |
Tagged: windows 10, Device Guard, security, microsoft, IOMMU

The Register gleaned some details about Windows 10 Device Guard at RSA but there is still a lot we do not know about it.  It is an optional service that can be enabled by an administrator and it checks every application launched to see if it has been signed by Microsoft as a trusted binary before letting it run.  While certainly good for security it may cause some issues for developers who have not gone through the vetting process to have your app approved for the Microsoft Store.  Device Guard is also separated from the WinX kernel, if your machine does become infected, Device Guard will still not allow unsigned apps to run.  You will need hardware which supports input/output memory management unit (IOMMU) to use Device Guard, thankfully that technology is present on most current PC hardware, though not so prevalent on the mobile front.

index.jpg

"The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Psst, hey buddy I got some nice Android apps for you cheap! They just fell off the back of a truck ya know.

Subject: General Tech | March 25, 2015 - 12:25 PM |
Tagged: Android, security

If you are running a device with Android 4.3 or earlier you should avoid third-party app stores; arguably all users should but there are times when Google Play does not offer what you need.  A security problem with the way that APK files are authenticated during install can allow a seemingly harmless app to be modified, either at the source or while being transmitted, leading to the installation of an app that may not be entirely honest about what it does.  Palo Alto Network's testing shows versions 4.4+ do not suffer from this particular problem nor do the vetted apps at the Google Play store.  It is unlikely you will encounter this problem unless you usually install things from places like Creepy Ice Cream Van Discount Apps and Malware,  but you should be aware of the existence of this issue.  More at The Inquirer.

index.jpg

"A FRESH VULNERABILITY CALLED Android Installer Hijacking is making itself known as a threat to almost half of all Android users."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot