What's up with WhatsApp

Subject: General Tech | January 16, 2017 - 06:13 PM |
Tagged: whatsapp, fud, facebook, encryption

By now you will have seen a headline screaming something about the security of Facebook's WhatsApp messaging service, ranging from somewhere between a backdoor purposefully inserted into the app to a complete denial of any security risk at all.  The actual issue is much larger than WhatsApp and address a security issue with all applications which depend on public key encryption. 

Many applications utilize public keys for their encryption, the encryption relies on keys unique to the sender and receivers devices and which use the public key to verify the authorization of a new device.  If your accounts key was permanently attached to a specific piece of hardware you would need a separate account for each device you used, which would be quite onerous.

The issue is that the Open Whisper Signal protocol is configured by WhatsApp in a way which makes the data vulnerable to a man in the middle attack.  If you can managed to block the transmission of a message, then take over one of the authorized devices accounts or phone numbers and trigger the generation of a new private key via a public key request to Facebook then you will be able to read messages until people realize what is going on.  This is not impossible but far from easy to accomplish, and effects any similar encryption system, not just WhatsApp.

Perhaps more worrying is Facebook's ability to take advantage of this, as they can generate a new public key to read messages, if they so choose.  If you are concerned about this, you can enable the Show Security Notifications setting under Settings -> Account -> Security to be notified whenever a contact's security code has changed.  The Register links to several articles which delve into the technology as well as the media's reactions here, if you are interested.

WhatsApp-Messenger-End-to-End-encryption-security-settings.jpg

"The problem – which is "endemic to public key cryptography" – was raised in April last year, and at the time WhatsApp said it wasn't a serious enough design flaw to spend time fixing."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Hack inflight entertainment crashes planes! Ya, not so much ya nutter

Subject: General Tech | December 20, 2016 - 06:04 PM |
Tagged: security, fud

You will probably see a headline picked up from the Telegraph warning of how hackers can use the in-flight entertainment systems to cause planes to crash; please ignore it.  Pilots do not generally log into a secret part of the interface on your setback screen to control the airplane, they have a separate system which is not about to be overridden by someone screwing with that system.  On the other hand they could force everyone to watch a Rob Schneider movie, which might be worse.  The Inquirer also suggests playing with cabin lighting or broadcasting fake announcements, as annoying as the teenager chatting away on the phone next to you or the child screaming in the background.  There were some reasonable suggestions in the article, which you can see here.

images.jpg

"LADIES AND GENTLEMEN, THIS IS YOUR PILOT SPEAKING. It turns out that hackers may be able to fiddle with the in-flight entertainment system on board and take control of the plane."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Simply FUD or a message from the Forced Upgrade Department?

Subject: General Tech | May 18, 2016 - 04:44 PM |
Tagged: Intel, microsoft, fud

DigiTimes has a doozy of a post title, stating that Intel plans to limit OS support on future processors starting with Kaby Lake and Apollo Lake CPUs.  Now this sounds horrible but you may be taking the word support out of context as it refers to the support that major customers require which leads to the so called errata (pdf example), not that the processors will be incapable of running any OS but Windows 10.  This may not matter so much to the average consumer but for industries and the scientific community this could result in huge costs as they would no longer be able to get fixes from Intel, unless they have upgraded to Windows 10.   That upgrade comes with its own costs, the monstrous amount of time it will take for compatibility testing, application updating and implementation; not to mention licensing fees.

AMD should take note of this, focus on continued legacy support and most importantly advertising that fact.  The price difference between choosing AMD over Intel could become even more compelling for these large customers and help refill AMD's coffers.

Opportunity.jpg

"With Intel planning to have its next-generation processors support only Windows 10, industrial PC (IPC) players are concerned that the move will dramatically increase their costs and affect market demand, according to sources from IPC players."

Here is some more Tech News from around the web:

Tech Talk

Source: DigiTimes

Sure ... it's the filesharing that takes up all the bandwidth

Subject: General Tech | December 8, 2015 - 05:43 PM |
Tagged: bandwidth, streaming, fud

The next time you hear someone harping about how the tubes are clogged with filesharing, either legal or illegal, as the reason why your internet is slow or dropping out you should reference this chart.  According to Sandvine, who would tend to know this sort of thing, just over 65% of all traffic is media streaming.  Chances are that the vast majority of that traffic is legal, coming from Netflix, YouTube, Spotify and the wide variety of other online content providers.  Indeed, chances are you pay to use that service so when your connection degrades and you contact your ISP about it make sure to have this handy as a reference. 

If those companies want to charge you for a service they should actually provide it and not try to blame their lack of infrastructure or insight on something else.  Unfortunately they will probably ignore the data and the only result of knowing this will be a sharp increase in your blood pressure.  Still, knowing is half the battle so head to re/code for a look at the charts they have compiled into this article.

sandvine-year-end-2015.png

"Here’s the latest breakdown from broadband services company Sandvine of “fixed access” — for the purposes of this piece, read it as “home broadband” — Internet usage during peak evening hours. That big red bar in the middle is the one to focus on."

Here is some more Tech News from around the web:

Tech Talk

Source: re/code

Should you fear SilverPush?

Subject: General Tech | November 20, 2015 - 07:22 PM |
Tagged: security, silverpush, fud

SilverPush has been around for a while but was recently reverse-engineered so that it could be investigated by anyone with an interest in their phones security.  It is software that is often bundled in advertisements or streamed media that takes advantage of your phones the far greater range of audio sensitivity and the fact that you can communicate information via audio signals.  This could allow an app to communicate with your phone without your knowledge, to collect data from your phone or even to provide contextual ads on your phone.

However as you can see from the list of apps which The Register links to, there is not much likelihood that you have an app which has SilverPush enabled installed on your phone and that is the real key.  If you do not have an app which is listening for audio signals on those frequencies then you will not suffer the effects of SilverPush.  The moral of the story is that your phones security starts with you, if you download random free apps and allow them full access to your phone then you should not be surprised by this sort of thing.

silverpush_crop.png

"SilverPush's software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

'Learn to trust us, because we're not about to stop.'

Subject: Editorial, General Tech | September 29, 2015 - 07:30 PM |
Tagged: trust, security, rant, microsoft, metadata, fud

Privacy of any nature when you utilize a device connected to the internet is quickly becoming a joke and not a very funny one. Just to name a few, Apple tracks your devices, Google scans every email you send, Lenovo actually has two programs to track your usage and of course there is Windows 10 and the data it collects and sends.  Thankfully in some of these cases the programs which track and send your data can be disabled but the fact of the matter is that they are turned on by default.

The Inquirer hits the nail on the head "Money is simply a by-product of data." a fact which online sites such as Amazon and Facebook have known for a while and which software and hardware providers are now figuring out.  In some cases an informed choice to share personal data is made, but this is not always true. When you share to Facebook or post your Fitbit results to the web you should be aware you are giving companies valuable data, the real question is about the data and metadata you are sharing of which you are unaware of.

im_from_the_government_im_here_to_help.jpg

Should you receive compensation for the data you provide to these companies?  Should you always be able to opt out of sharing and still retain use of a particular service?  Perhaps the cost of utilizing that service is sharing your data instead of money?   There are a lot of questions and even a lot of different uses for this data but there is certainly no one single answer to those questions. 

Microsoft have been collecting data from BSoD's for decades and Windows users have all benefited from it even though there is no opt out for sending that data.  On the other hand is there a debt incurred towards Lenovo or other companies when you purchase a machine from them?  Does the collection of patterns of usage benefit Lenovo users in a similar way to the data generated by a Windows BSoD or does the risk of this monitoring software being corrupted by others for nefarious purposes outweigh any possible benefits?

3adb62458565e775daf44731fabf2b92.jpg

Of course this is only the tip of the iceberg, the Internet of Things is poised to become a nightmare for those who value their security, there are numerous exploits to track your cellphone that have nothing to do with your provider and that is only the tip of the iceberg.  Just read through the Security tag here on PCPer for more examples if you have a strong stomach.

Please, take some time to think about how much you value your privacy and what data you are willing to share in exchange for products and services.  Integrate that concern into your purchasing decisions, social media and internet usage.  Hashtags are nice, but nothing speaks as loudly as your money; never forget that.

"MICROSOFT HAS SPOKEN out about its oft-criticised privacy policies, particularly those in the newly released Windows 10, which have provoked a spike in Bacofoil sales over its data collection policies."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Bad Lenovo! Don't do anything even slightly fishy for a while

Subject: General Tech | September 25, 2015 - 06:33 PM |
Tagged: Lenovo, fud

Lenovo Customer Feedback Program 64 is nowhere near the level of SuperFish when it comes creepy behaviour but it certainly shows a lack of insight from the popular company.  With SuperFish so recently in the headlines and peoples memory it would perhaps have been beneficial for Lenovo to abandon any and all data collection from their users but it would seem that is not the case.  Thankfully this particular one appears in your Programs and can be removed via the Control Panel but you can bet that it will immediately create negative feedback for the company.   The Inquirer covers the details here, apparently it was collecting data about Win10 compatibility and user feedback but no matter if it is innocuous or not, there will be fallout.

index.jpg

"SOFTWARE INCLUDED ON LENOVO hardware has been found to be suspicious-looking, and this is not the first time that the company has been caught out like this."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

The Intel SMM bug is bad, but not that bad

Subject: General Tech | August 7, 2015 - 05:31 PM |
Tagged: fud, security, Intel, amd, x86, SMM

The SSM security hole that Christopher Domas has demonstrated (pdf)  is worrying but don't panic, it requires your system to be compromised before you are vulnerable.  That said, once you have access to the SMM you can do anything you feel like to the computer up to and including ensuring you can reinfect the machine even after a complete format or UEFI update.  The flaw was proven on Intel x86 machines but is likely to apply to AMD processors as well as they were using the same architecture around the turn of the millennium and thankfully the issue has been mitigated in recent processors.  Intel will be releasing patches for effected CPUs, although not all the processors can be patched and we have yet to hear from AMD.  You can get an over view of the issue by following the link at Slashdot and speculate on if this flaw was a mistake or inserted there on purpose in our comment section.

logo.png

"Security researcher Christopher Domas has demonstrated a method of installing a rootkit in a PC's firmware that exploits a feature built into every x86 chip manufactured since 1997. The rootkit infects the processor's System Management Mode, and could be used to wipe the UEFI or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Who gets Windows 10 love and who doesn't

Subject: General Tech | June 23, 2015 - 07:44 PM |
Tagged: windows 10, microsoft, fud

The Inquirer was nice enough to compile a list of requirements to get a free upgrade to Windows 10, based on the rather confusing information which is being provided by Microsoft.  Windows XP and Vista users as well as any and all Enterprise customers will have to pay; prices are expected to be similar to previous releases.  If you run Win7 then you have until 27 July 2016 to click that little upgrade icon to reserve your copy for installation once the new OS is released.  If you are running Win8 then you must upgrade to Win8.1, from there you are qualified.  If you ran the beta, as in you were a member of the Windows Insiders Programme, it depends on your current Windows license, the fact that you tested will not grant you a free copy of Windows 10.  If you pirated or have lost your key then you are SOL, as are those running Linux as The Inquirer amusingly points out.

images.png

"MICROSOFT has been a little less than helpful in clarifying the terms of the free Windows 10 upgrade offer, and The INQUIRER is here to help."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Hold the phones there Hola, you are making a profit off of my bandwidth?

Subject: General Tech | June 11, 2015 - 05:18 PM |
Tagged: security, vpn, hola, fud

If you are using the free VPN service from Hola you really need to find a different solution.  Not only has it been plagued with security vulnerabilities, some of which they have addressed and some of which even they admit still exist, you will also unwittingly be providing exit nodes and bandwidth for anonymous surfers.  To add insult to injury, those users pay $20/GB to Hola for use of your bandwidth and you will never see a penny of that.  Hola's ILuminati service allows you to surf the net anonymously by directing their traffic over anyone using the free VPN, or as they refer to it an unblocking service, so not only is your bandwidth being used, you have no idea what traffic is actually exiting through your VPN. 

That is pretty much the exact opposite of a private network and depending on what is being done and how well the traffic is monitored you could well find yourself embroiled in an investigation you had no idea you were opening yourself up to.  Check out  more on this story at The Register.

original.jpg

"Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register