Crazy, I'm crazy for feeling so buggy ... then Microsoft called it off

Subject: General Tech | May 9, 2017 - 12:43 PM |
Tagged: security essentials, security, microsoft, fud, endpoint, defender

You have probably already read about the bug which effects all Microsoft's security programs, from basic home apps like Defender through to professional level Forefront Security for SharePoint discovered by Google Project Zero researchers.  It was certainly a bad one, utilizing the act of scanning a file for malware as the infection vector, striking similar to the way some viruses hijack our own immune systems. 

The good news is that Microsoft started pushing out a fix for the bug on Monday; as the bug was hinted at publicly on Friday someone must have put in a long weekend.  This quick turnaround is very nice to see and demonstrates the usefulness of publicly announcing the existence of a threat, without revealing the details to the public immediately.  Bug bounty programs are a good thing but if they involve NDAs it can lead to delays in resolutions as there is little pressure on the software developers to push out an immediate fix.  As The Register states, responsibly disclosing the existence of a bug, especially a major one such as this, you get a quick turn around like we saw from Microsoft. 

Update if you got 'em!

8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg

"On the second point, well, we hate to break it to you but all software has bugs – especially Microsoft's code. There are any number of horrible remote code execution flaws in Windows and Office right now, sitting there waiting for white and black hats to find and exploit. Being told, yes, there is definitely a bad bug lurking in among the ones and zeroes doesn't make you less secure."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Google doesn't seem to mind SilverPush and your phones surreptitious addiction to advertisments

Subject: General Tech | May 5, 2017 - 01:29 PM |
Tagged: fud, silverpush, security

In 2015 we learned enough about SilverPush to worry security wonks about its ability to track your phone without your knowledge.  Several hundred apps available on the Google Play store have SilverPush and do not inform users that the apps utilize that software to track your whereabouts without your knowledge which would seem to be in direct contravention of Google's stated requirements.  That is more upsetting than the actual tracking.

SilverPush laden apps listen for tones broadcast at 18kHz to 20kHz which is inaudible to the vast majority of humanity.  When they receive that tone the app which has SilverPush sends out a signal which can be used to locate you, to track your progress through a store or to verify that you are watching a particular advertisement.  The creators of the software stopped development back in 2015 and have found this revelation rather confusing according to Ars Technica.

index.png

"Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

What's up with WhatsApp

Subject: General Tech | January 16, 2017 - 01:13 PM |
Tagged: whatsapp, fud, facebook, encryption

By now you will have seen a headline screaming something about the security of Facebook's WhatsApp messaging service, ranging from somewhere between a backdoor purposefully inserted into the app to a complete denial of any security risk at all.  The actual issue is much larger than WhatsApp and address a security issue with all applications which depend on public key encryption. 

Many applications utilize public keys for their encryption, the encryption relies on keys unique to the sender and receivers devices and which use the public key to verify the authorization of a new device.  If your accounts key was permanently attached to a specific piece of hardware you would need a separate account for each device you used, which would be quite onerous.

The issue is that the Open Whisper Signal protocol is configured by WhatsApp in a way which makes the data vulnerable to a man in the middle attack.  If you can managed to block the transmission of a message, then take over one of the authorized devices accounts or phone numbers and trigger the generation of a new private key via a public key request to Facebook then you will be able to read messages until people realize what is going on.  This is not impossible but far from easy to accomplish, and effects any similar encryption system, not just WhatsApp.

Perhaps more worrying is Facebook's ability to take advantage of this, as they can generate a new public key to read messages, if they so choose.  If you are concerned about this, you can enable the Show Security Notifications setting under Settings -> Account -> Security to be notified whenever a contact's security code has changed.  The Register links to several articles which delve into the technology as well as the media's reactions here, if you are interested.

WhatsApp-Messenger-End-to-End-encryption-security-settings.jpg

"The problem – which is "endemic to public key cryptography" – was raised in April last year, and at the time WhatsApp said it wasn't a serious enough design flaw to spend time fixing."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Hack inflight entertainment crashes planes! Ya, not so much ya nutter

Subject: General Tech | December 20, 2016 - 01:04 PM |
Tagged: security, fud

You will probably see a headline picked up from the Telegraph warning of how hackers can use the in-flight entertainment systems to cause planes to crash; please ignore it.  Pilots do not generally log into a secret part of the interface on your setback screen to control the airplane, they have a separate system which is not about to be overridden by someone screwing with that system.  On the other hand they could force everyone to watch a Rob Schneider movie, which might be worse.  The Inquirer also suggests playing with cabin lighting or broadcasting fake announcements, as annoying as the teenager chatting away on the phone next to you or the child screaming in the background.  There were some reasonable suggestions in the article, which you can see here.

images.jpg

"LADIES AND GENTLEMEN, THIS IS YOUR PILOT SPEAKING. It turns out that hackers may be able to fiddle with the in-flight entertainment system on board and take control of the plane."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Simply FUD or a message from the Forced Upgrade Department?

Subject: General Tech | May 18, 2016 - 12:44 PM |
Tagged: Intel, microsoft, fud

DigiTimes has a doozy of a post title, stating that Intel plans to limit OS support on future processors starting with Kaby Lake and Apollo Lake CPUs.  Now this sounds horrible but you may be taking the word support out of context as it refers to the support that major customers require which leads to the so called errata (pdf example), not that the processors will be incapable of running any OS but Windows 10.  This may not matter so much to the average consumer but for industries and the scientific community this could result in huge costs as they would no longer be able to get fixes from Intel, unless they have upgraded to Windows 10.   That upgrade comes with its own costs, the monstrous amount of time it will take for compatibility testing, application updating and implementation; not to mention licensing fees.

AMD should take note of this, focus on continued legacy support and most importantly advertising that fact.  The price difference between choosing AMD over Intel could become even more compelling for these large customers and help refill AMD's coffers.

Opportunity.jpg

"With Intel planning to have its next-generation processors support only Windows 10, industrial PC (IPC) players are concerned that the move will dramatically increase their costs and affect market demand, according to sources from IPC players."

Here is some more Tech News from around the web:

Tech Talk

Source: DigiTimes

Sure ... it's the filesharing that takes up all the bandwidth

Subject: General Tech | December 8, 2015 - 12:43 PM |
Tagged: bandwidth, streaming, fud

The next time you hear someone harping about how the tubes are clogged with filesharing, either legal or illegal, as the reason why your internet is slow or dropping out you should reference this chart.  According to Sandvine, who would tend to know this sort of thing, just over 65% of all traffic is media streaming.  Chances are that the vast majority of that traffic is legal, coming from Netflix, YouTube, Spotify and the wide variety of other online content providers.  Indeed, chances are you pay to use that service so when your connection degrades and you contact your ISP about it make sure to have this handy as a reference. 

If those companies want to charge you for a service they should actually provide it and not try to blame their lack of infrastructure or insight on something else.  Unfortunately they will probably ignore the data and the only result of knowing this will be a sharp increase in your blood pressure.  Still, knowing is half the battle so head to re/code for a look at the charts they have compiled into this article.

sandvine-year-end-2015.png

"Here’s the latest breakdown from broadband services company Sandvine of “fixed access” — for the purposes of this piece, read it as “home broadband” — Internet usage during peak evening hours. That big red bar in the middle is the one to focus on."

Here is some more Tech News from around the web:

Tech Talk

Source: re/code

Should you fear SilverPush?

Subject: General Tech | November 20, 2015 - 02:22 PM |
Tagged: security, silverpush, fud

SilverPush has been around for a while but was recently reverse-engineered so that it could be investigated by anyone with an interest in their phones security.  It is software that is often bundled in advertisements or streamed media that takes advantage of your phones the far greater range of audio sensitivity and the fact that you can communicate information via audio signals.  This could allow an app to communicate with your phone without your knowledge, to collect data from your phone or even to provide contextual ads on your phone.

However as you can see from the list of apps which The Register links to, there is not much likelihood that you have an app which has SilverPush enabled installed on your phone and that is the real key.  If you do not have an app which is listening for audio signals on those frequencies then you will not suffer the effects of SilverPush.  The moral of the story is that your phones security starts with you, if you download random free apps and allow them full access to your phone then you should not be surprised by this sort of thing.

silverpush_crop.png

"SilverPush's software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

'Learn to trust us, because we're not about to stop.'

Subject: Editorial, General Tech | September 29, 2015 - 03:30 PM |
Tagged: trust, security, rant, microsoft, metadata, fud

Privacy of any nature when you utilize a device connected to the internet is quickly becoming a joke and not a very funny one. Just to name a few, Apple tracks your devices, Google scans every email you send, Lenovo actually has two programs to track your usage and of course there is Windows 10 and the data it collects and sends.  Thankfully in some of these cases the programs which track and send your data can be disabled but the fact of the matter is that they are turned on by default.

The Inquirer hits the nail on the head "Money is simply a by-product of data." a fact which online sites such as Amazon and Facebook have known for a while and which software and hardware providers are now figuring out.  In some cases an informed choice to share personal data is made, but this is not always true. When you share to Facebook or post your Fitbit results to the web you should be aware you are giving companies valuable data, the real question is about the data and metadata you are sharing of which you are unaware of.

im_from_the_government_im_here_to_help.jpg

Should you receive compensation for the data you provide to these companies?  Should you always be able to opt out of sharing and still retain use of a particular service?  Perhaps the cost of utilizing that service is sharing your data instead of money?   There are a lot of questions and even a lot of different uses for this data but there is certainly no one single answer to those questions. 

Microsoft have been collecting data from BSoD's for decades and Windows users have all benefited from it even though there is no opt out for sending that data.  On the other hand is there a debt incurred towards Lenovo or other companies when you purchase a machine from them?  Does the collection of patterns of usage benefit Lenovo users in a similar way to the data generated by a Windows BSoD or does the risk of this monitoring software being corrupted by others for nefarious purposes outweigh any possible benefits?

3adb62458565e775daf44731fabf2b92.jpg

Of course this is only the tip of the iceberg, the Internet of Things is poised to become a nightmare for those who value their security, there are numerous exploits to track your cellphone that have nothing to do with your provider and that is only the tip of the iceberg.  Just read through the Security tag here on PCPer for more examples if you have a strong stomach.

Please, take some time to think about how much you value your privacy and what data you are willing to share in exchange for products and services.  Integrate that concern into your purchasing decisions, social media and internet usage.  Hashtags are nice, but nothing speaks as loudly as your money; never forget that.

"MICROSOFT HAS SPOKEN out about its oft-criticised privacy policies, particularly those in the newly released Windows 10, which have provoked a spike in Bacofoil sales over its data collection policies."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Bad Lenovo! Don't do anything even slightly fishy for a while

Subject: General Tech | September 25, 2015 - 02:33 PM |
Tagged: Lenovo, fud

Lenovo Customer Feedback Program 64 is nowhere near the level of SuperFish when it comes creepy behaviour but it certainly shows a lack of insight from the popular company.  With SuperFish so recently in the headlines and peoples memory it would perhaps have been beneficial for Lenovo to abandon any and all data collection from their users but it would seem that is not the case.  Thankfully this particular one appears in your Programs and can be removed via the Control Panel but you can bet that it will immediately create negative feedback for the company.   The Inquirer covers the details here, apparently it was collecting data about Win10 compatibility and user feedback but no matter if it is innocuous or not, there will be fallout.

index.jpg

"SOFTWARE INCLUDED ON LENOVO hardware has been found to be suspicious-looking, and this is not the first time that the company has been caught out like this."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

The Intel SMM bug is bad, but not that bad

Subject: General Tech | August 7, 2015 - 01:31 PM |
Tagged: fud, security, Intel, amd, x86, SMM

The SSM security hole that Christopher Domas has demonstrated (pdf)  is worrying but don't panic, it requires your system to be compromised before you are vulnerable.  That said, once you have access to the SMM you can do anything you feel like to the computer up to and including ensuring you can reinfect the machine even after a complete format or UEFI update.  The flaw was proven on Intel x86 machines but is likely to apply to AMD processors as well as they were using the same architecture around the turn of the millennium and thankfully the issue has been mitigated in recent processors.  Intel will be releasing patches for effected CPUs, although not all the processors can be patched and we have yet to hear from AMD.  You can get an over view of the issue by following the link at Slashdot and speculate on if this flaw was a mistake or inserted there on purpose in our comment section.

logo.png

"Security researcher Christopher Domas has demonstrated a method of installing a rootkit in a PC's firmware that exploits a feature built into every x86 chip manufactured since 1997. The rootkit infects the processor's System Management Mode, and could be used to wipe the UEFI or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot