Subject: General Tech, Mobile | December 12, 2017 - 02:37 AM | Tim Verry
Tagged: synaptics, security patch, security, keylogger, hp, Cyber Security
HP has issued security patches for more than 460 models of the company's laptops and thin clients to address a hidden keylogger present in the Synaptics touchpad drivers. Discovered by security researcher Michael Myng while delving into the Synaptics Touchpad Software in an attempt to change the backlight behavior of the keyboard, the keylogger was reportedly built into the software stack to debug errors. While it shipped to customers disabled by default, an attacker that was able to achieve administrative privileges could change the appropriate registry value and enable keylogging to locally record all of the user's keystrokes without their knowledge. Further malicious code or local physical access could then be used to retrieve data for analysis of possible passwords, usernames, account numbers, and other personal information.
Image courtesy Robbert van der Steeg via Flickr Creative Commons
HP claims in its security bulletin that at no time did it or Synaptics have access to customer data and that this security vulnerability is a "local loss of confidentiality" and should be acted upon as soon as possible by downloading the security patch for your laptop from HP or by running Windows Update.
According to the HP security bulletin, the vulnerability reportedly affects all Synaptics OEM partners including HP that have shipped systems with certain Synaptics Touchpad driver versions. In the case of HP this includes commercial / enterprise notebooks, tablets, thin clients, and mobile workstations from their G2, G4, G6, Elite X2, EliteBook, Thin Client, ProBook, Spectre Pro, Stream, X360, and ZBook Mobile Workstation series and consumer devices with Compaq, Beats, ENVY, OMEN, Pavilion, Spectre, Split, Stream, and even the 15" Star Wars Special Edition laptop!
While this is a serious security risk, there is no need to panic. You should apply the patch manually or through Windows Update as soon as possible, but so long as you have been and continue to follow security best practices (strong passwords, running anti-virus and anti-malware scans regularly, restricting physical access, and not running as administrator on your daily driver user account, ect) you should be safe as there are several steps that would need to be completed before an attacker could take advantage of this hidden keylogger, especially remotely.
You can find the full list of affected laptops and their associated security patches on HP's support website. For a PGP signed version of the page you can email email@example.com.
Subject: General Tech | December 6, 2017 - 09:59 PM | Tim Verry
Tagged: nicehash, mining, hack, Cyber Security, bitcoin
In a recent press release cryptocurreny mining market Nicehash revealed that its payment service was hacked and its BTC payment wallet was emptied. While the company did not reveal the exact amount lost, users on Reddit spent the better part of today worried as the service was initially "under maintenance" for 12 hours amidst suspicious transactions on the blockchain that saw 4,736.42 BTC taken from Nicehash and their Nicehash internal wallets reporting zero balances. The company is currently investigating the precise amount stolen, though estimates around the web put it north of $66 million USD worth of the popular cryptocurrency (at time of writing 1 BTC = ~$13970.50).
Image courtesy fdecomite via Flickr.
Users that mined to an external wallet for an additional fee are out unpaid balances less than 0.01 BTC, but sadly users that mined to an internal wallet have potentially losts hundreds or thousands of mined bitcoin. Also, purchasers of the Nicehash mining service may have lost the BTC that they paid into the service for alt coin hashing power.
"We are fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity.
We would not exist without our devoted buyers and miners all around the globe. We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavour to update you at regular intervals."
Nicehash is further recommending that users of its internal wallets change all of their online passwords (especially any that were similar to the one they used on the site) as a precaution.
The full press release is available here.
In all, it is a devastating hack that is another in a series of high profile crypto currency heists that have traditionally left users out money and the company destroyed. Nicehash has indicated that they have reached out to and are cooperating with the relevant authorities, but unless they are able to find the individual(s) responsible and recover the massive amount of bitcoin it is not looking good.
I hope that the bitcoin is able to be recovered or at least that Nicehash is able to do the right think and compensate its users from its own funds.
This high-profile attack further illustrates the need to use safe bitcoin storage practices and to always hold your own private key in an offline wallet (hardware or paper or at least encrypted software wallet you control at a minimum) for long term storage of funds. Your crypto currency is only truly yours when you alone control the private key(s) and you should only transfer and keep coins on other servers (e.g. exchanges) for as long as it takes to transfer them to your bank or as short a time as possible when trading.
What are your thoughts on this? Did you have money in a Nicehash wallet or unpaid mining balance? Do you plan to venture forth and mine on your own?
Subject: General Tech | June 5, 2016 - 02:18 PM | Scott Michaud
Tagged: security, Cyber Security, coil whine
As new hardware launches, many readers ask whether they produce any noticeable form of coil whine. For instance, this is an issue for graphics cards that are outputting a very high frame rate. The electronics create sound from the current oscillating as it flows through them. It can also be an issue for motherboards or power supplies as well. You can check out this fairly old video from LinusTechTips for a demonstration.
Image Credit: ACM
It turns out that, because this whine is related to the signal flowing through the oscillating circuit, security researchers are looking into the types of information that can be inferred from the whine. In particular, the Association for Computing Machinery (ACM) published a paper called Physical Key Extraction Attacks on PCs. It discusses several methods of attacking a device, such as reading minor fluctuations in its grounding plug or monitoring induced radiation with an antenna. Its headlining method is “Acoustic” though, which listens to coil whine sound produced by the computer, as it decrypts RSA messages that are sent to it, to gather the RSA secret key from it.
While they have successfully demonstrated the attack using a parabolic microphone at 33ft away, and a second demonstration using a mobile phone at 1ft away, the news should be taken with a grain of salt. Mostly, it's just interesting to realize that there's nothing really special about a computer. All it does is stores and processes data on whatever physical state we have available in the world. Currently, that's almost always radio-frequency radiation flowing through semiconductors. Whatever we use will have consequences. For instance, as transistors get smaller, to push more complex signals through a given surface area and power, we'll eventually run out of atoms.
This is just another, often forgotten side-effect: electric signals induce the transfer of energy. It could be electromagnetic, acoustic, or even thermal. In the realm of security, this could, itself, carry some of the data that we attached to our world's state, and allow others to access it (or sometimes modify it) without our knowledge or consent.
Subject: General Tech | July 15, 2011 - 05:37 PM | Tim Verry
Tagged: pentagon, hack, Cyber Security, cracking
If we thought that the antics of LulzSec and Anonymous were bad, the recent admission by the Pentagon that 24,000 files were stolen by an as yet identified to the public attacker is not good news at all. Exactly what was taken has not been released; however Deputy Defense Secretary William J. Lynn III said that the Pentagon believes the attacker was a foreign government and according to Fox News, Lynn stated that “’we have a pretty good idea’ who did it.”
The Pentagon attack was revealed to the public during a speech on Thursday as a preface to a newly proposed more active cyber-defense. The Pentagon believes that the threat of retaliation is not enough of a deterrent to stop attackers, and a more active defense is needed. The strategy includes a greater focus on defense rather than offensive measures, improving its workers’ computer habits to mitigate the risk of succumbing to viruses and malware, and calls for collaboration with other federal agencies, contractors, and foreign allies.
You can read more about the attack and the proposed defense to further attacks here.
Subject: Editorial, General Tech | May 5, 2011 - 08:35 AM | Tim Verry
Tagged: Internet, Education, Cyber Security
Microsoft recently posted a press release detailing the results of its sponsored study by the NCSA (National Cyber Security Alliance). The study sought to determine whom people believe bears the responsibility for teaching children how to protect themselves on the Internet, as well as what the current situation is as far as K-12 students’ level of preparedness and education. The executive director of the NCSA, Michael Kaiser, had this to say:
“Just as we would not hand a child a set of car keys with no instruction about how to drive, we should not be sending students out into the world without a solid understanding of how to be safe and secure online."
According to Microsoft, the NCSA advocates for a “comprehensive approach” to teaching children from K-12 how to stay safe and secure online. While the consensus seems to be that students do need educated in Internet security, people are divided on exactly who bears the primary responsibility for teaching children. Children’s teachers, parents, and even government leaders and law enforcement have all been raised as possible responsible parties. The majority of teachers (80 percent) and school administrators (60 percent) surveyed are proponents of parents being responsible for teaching their kids about “digital safety, security, and ethics.” On the other hand, more than 50 percent of the IT coordinators surveyed believe that teachers are the ones that bear the most responsibility of educating kids. From the survey, one area where all groups do seem to agree is on the question of government responsibility in educating kids. Microsoft states that less than one percent believe law enforcement and government officials should bear the responsibility.
While cyber security is important for students to learn, as 97 percent of school administrators believe schools should have courses and an educational plan for students throughout their K-12 grades, only 68 percent of administrators “believe their schools or school districts are doing an adequate job of preparing students...”
The situation of adequate education looks even bleaker when teachers where surveyed. When asked whether they feel prepared to teach students adequately, 24 percent believed they were adequately prepared to talk about and educate kids on protecting personal information on the Internet, and 23 percent are comfortable teaching the risks of cyberbullying. Further, only one-third of teachers surveyed believe they are prepared to educated students on basic Internet security skills “such as password protection and backing up data.” The low numbers are attributed to the lack of professional development training that teachers are receiving. Microsoft states that “86 percent received less than six hours of related training.” Microsoft quotes Kaiser in saying that “America’s schools have not caught up with the realities of the modern economy. Teachers are not getting adequate training in online safety topics, and schools have yet to adopt a comprehensive approach to online safety, security and ethics as part of a primary education. In the 21st century, these topics are as important as reading, writing and math.”
In all of this, there is a ray of hope. Comparing the 2010 study to the NCSA’s 2008 study which you can read here, an increasing number of teachers believe cyber security and professional development training is a priority.More than 60 percent of school officials and teachers are interested in pursing further security training. This interest in training among teachers is up to 69 percent from 55 percent in 2008. IT coordinators and administrators are also becoming more interested in revamping the educational curriculum to better teach their students and workers. Further improvements in interest among educators pursuing further security training can be seen between the 2010 and the 2011 NCSA study. Also, slightly higher percentages exist across the board for teachers who have tought aspects of security in their classrooms compared to both the 2010 and 2008 studies.
On the other hand, while interest in training is increasing for teachers, from 2010 to 2011, security topics taught in clases have actually dropped. This is in addition to a decrease in teachers' beliefs that they bear responsibility in educating kids.
A comparison paper between the 2008 and 2010 study can be downloaded here (PDF).
What are your thoughts on this issue; who bears the primary responsibility in educating children on the importance of Internet safety?
Image 1 courtesy 2011 NCSA study. Image 2 courtesy 2008 to 2010 NCSA comparison study. Material is copyright NCSA, and used according to fair usage guidelines for the purpose of commentary and reporting.