So long WiFi Sense, don't let the door hit you ...

Subject: General Tech | May 11, 2016 - 05:26 PM |
Tagged: wifi sense, security, microsoft

Here is an update we can get behind!  Windows 10 Build 14342 will no longer have WiFi Sense, that bizarre feature which Microsoft added which would pass on any of your stored WiFi passwords to your contacts as well as overriding your preferred network if one of your contacts signals was available.  This caused a certain amount of alarm as you might not trust every contact you might have on Outlook.com with your WiFi password nor trust their WiFi networks.  The blather about high cost and low demand is an interesting cover for changing their minds, regardless it is good to see it go.  There were a couple of other updates included in this release, check them out at The Inquirer.

2015-08-18_14-11-50.png

"We have removed the WiFi Sense feature that allows you to share WiFi networks with your contacts and to be automatically connected to networks shared by your contacts," explained Aul."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Psst Comrade! Want to buy some email account details cheap?

Subject: General Tech | May 4, 2016 - 04:39 PM |
Tagged: security

272.3 million is a big number and sadly it refers to the number of email accounts which have been affected by a recent data breach.  The vast majority of the accounts are from Russia's Mail.ru but Yahoo accounts for 15%, Hotmail 12% and Gmail 9% of the leak.  With 50 rubles and the right connections you can have the email addresses and passwords of a very large number of people.  Sadly, The Inquirer also heard that this collection includes details of user accounts of US banking, manufacturing and retail companies.  When you are changing your passwords today, try to avoid obvious Star Wars references.

7449344_m.jpg

"Reuters has the scoop, having heard from Alex Holden, founder and chief information security officer of Hold Security - and the man who last year uncovered the largest data breach to date - that the details of 272.3 million stolen accounts are being traded."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Patch 'em if you got 'em; 40 Google patches for you

Subject: General Tech | May 3, 2016 - 06:09 PM |
Tagged: Android, google, security

Assuming your service provider is not one of those who block Google's patches from coming to you directly you should probably charge up that device, get on WiFi  and check your available updates.  Any Google device running 4.4.4 or newer, including Nexus devices, will have up to 40 patches to slurp up.  Many of the patches are for a vulnerability similar to the previous Stagefright exploit, apps can use the drivers from Qualcomm and NVIDIA to break into the Qualcomm TrustZone on unpatched devices.  The Register provides a full list of the patches which are being pushed to Nexus and Android One devices.

android versions.PNG

"Google has today issued a bundle of 40 security patches for its Android operating system.

A dozen of the fixes correct critical vulnerabilities in versions 4.4.4 of the operating system and above. About 74 per cent of in-use Android devices run Android 4.4.4 or higher."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

I love it when a bad guys plan doesn't come together

Subject: General Tech | March 17, 2016 - 05:25 PM |
Tagged: ransomware, Malware, security, idiots

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad.  A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this.  His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted. 

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here.  It is good for the soul to see incompetent bad guys every once and a while.

Vault door.jpg

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Oh snap, old phones and new IoT devices just sprung another leak

Subject: General Tech | March 15, 2016 - 05:11 PM |
Tagged: snapdragon, qualcomm, security, iot

TrendMicro discovered vulnerabilities in the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 on devices running a 3.10-version kernel.  They have privately discussed the issue with Google who have since pushed out updates to resolve these issues on their phones, preventing attackers from gaining root access with a specially crafted app.  Unfortunately that is the tip of the iceberg as according to Qualcomm more than a billion devices use Snapdragon processors or modems, many of them IoT devices which have not had this update.  With the already fragmented market getting worse as everyone and their dog are now creating IoT devices the chances are very good that your toaster, fridge and other random internet connected devices are vulnerable and will remain so. 

You should think twice when considering the balance of convenience and security when you are purchasing internet connected household appliances and other IoT devices.  You can see what Slashdot readers think about this here if you so desire.

sd_processor_03.png

"Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

If you have a Trane thermostat you should update the firmware immediately

Subject: General Tech | February 9, 2016 - 06:30 PM |
Tagged: trane, iot, security

It is not a good sign when a security team refers to your smart thermostat as "a little malware store", especially when the flaws have been known for some time.  Indeed the original issue of hardcoded SSH passwords has been known since 2014 and the update took a year to be created.  Unfortunately most owners of a Trane Thermostat will not have upgraded their firmware, even if they knew about the update as it is not something which was installed remotely.  Instead you need to download the new firmware onto an SD card and manually install it on the thermostat.  Last month another update was released to address a remote code execution vulnerability in the ComfortLink II, which was not generally known until The Register posted about it today.  If you are using this device you should get an SD card handy and download the firmware.

1401223883460.png

"In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Are you going to phish or cut clickbait?

Subject: General Tech | February 4, 2016 - 07:08 PM |
Tagged: security, google

Remember the thrill of finding the actual download button for the software you need, hidden on a webpage featuring at least four other large download buttons leading to unrelated and generally nasty software?  Well those horrible people at Google want to take that joy away from you!  Instead of practicing your skills at slapping the monkey, shooting the duck or pretending you are on an online version of Let's Make a Deal trying to pick the right download button to reveal the prize you want, they will present you with a bright red warning screen. 

For some reason those hacks over at The Inquirer think it is a good idea to take away the hours of time spent with your family, and all the interesting things that "just appeared" on their machines.

index.png

"Google is still chipping away at creating a secure online experience and has just unearthed a new element for safe browsing that stops click-happy idiots doing click-stupid things."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Next on the list of companies which should know better is Malwarebytes, but it is not as bad as some say

Subject: General Tech | February 3, 2016 - 05:46 PM |
Tagged: security, Malwarebytes

Considering the business that Malwarebytes is in you can expect to see a lot of negative press about a gaping security hole in the near future and while there is a vulnerability it is not as bad as many will make it out to be.  The issue lies in that signature updates are done over HTTP and are unsigned, very bad practice but something which would be exploited on a single client connection as opposed to something you could use to create a wide spread infection.  The Register links to the Google Project Zero entry which was released today as the vulnerability was first reported to Malwarebytes 90 days ago and has not been addressed on the client side.

The actual concern you should have is that the original bug report also found vulnerabilities on the server side.  Malwarebytes did correct the server side issues almost immediately but neglected to follow through on the client side.  It is good of them to patch and offer bug bounties but a complete follow through is necessary if you are a security software peddler who wants their reputation to stay intact.

mb-logo.png

"The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Sharing is good ... until it starts eating your bandwidth

Subject: General Tech | January 29, 2016 - 07:32 PM |
Tagged: security, isp, wifi

ISPs have stumbled onto a new money making venture, renting out your wireless internet connection to third parties so that those companies can provide public WiFi to their customers.  Sources told The Inquirer that some ISPs already do this without informing their customers and that it will likely be a common industry practice by 2017.  Theoretically you are allowed to opt out but since your ISP may not have told their users they are doing this; how would the average customer know to request this be turned off?

This raises several concerns, especially here in North America thanks to our pathetic internet services.  Most users have a data cap and the ISPs have little reason to spend resources to properly monitor who is using the bandwidth, their customers or random passersby.  As well the speeds of most customers are low enough that they may see degradation of their service if numerous passersby connect to their WiFi.  Putting the monetary concerns to the side there are also serious security concerns.  Once a user has access to your WiFi router they are most of the way into your network and services such as UPnP and unprotected ports leave you vulnerable to attack.

Change the password your provider put on the router and consider reaching out to them to find out if you have been unwillingly sharing your bandwidth already, or if you might be doing so in the near future.

index.png

"Companies are going to be selling a lot more public Wi-Fi plans over the next few years and it's going to be home Wi-Fi users who'll be the backbone of the network, according to analysts from Juniper Research."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ever been so sick of a song you considered veering off the road to make it stop?

Subject: General Tech | January 27, 2016 - 06:24 PM |
Tagged: Usenix Enigma, security, iot

The good news is that this particular bug has been addressed but it does not make the vulnerability any less terrifying.  A mere 18 seconds of playtime on a compromised audio CD in your car is enough to insert the attack code and gain complete control over your cars computer controlled systems.  This particular vulnerability was discovered in 2010, long before the more recent vulnerabilities you would have seen all over various media.  You could shut off the engines, forcibly unlock the doors, interfere with steering and many other functions that could well cause serious damage at highway speeds or in other scenarios. 

When placing the blame, The Inquirer makes sure to point out that you should not look to the car companies as it is the software providers who are the source of the problem.  Thanks to various corporate policies no car company has access to all of the source code running in their products so a security audit will not help.  Even better is the inclusion of a government-mandated OBD-II port which allows complete control over your cars system; which you should not touch as simply plugging into it would be a crime in the USA.  There is some good news, this vulnerability resulted in Fiat Chrysler recalling 1.4 million cars at a cost of about a quarter of a billion dollars ... an expensive mistake that may convince them to change their software implementation processes.

enigma_logo_700x253.png

"The modern car's operating system is such a mess that researchers were once able to get complete control of a vehicle by playing a song laced with malicious code. Malware encoded in the track was executed after the file was loaded from a CD and processed by a buggy parser."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register