Proper per app permissions arriving to Windows 10

Subject: General Tech | September 14, 2017 - 02:40 PM | Jeremy Hellstrom
Tagged: microsoft, windows 10, security

The new Creators Update for Windows 10 just received a noteworthy upgrade.  Installed applications will now need your agreement to collect and transmit metadata such as your location and other information.  Many of the concerns raised by Windows 10 users focused on the current configuration which defaults to apps being allowed permission to track and send information; it can be turned off by a user but only after the fact.  Now applications will be installed with telemetry disabled by default unless a user agrees to the collection of information during the installation.  There are cases in which it is beneficial to send your usage information, especially Windows error reports, but that was no excuse to enable that ability across the board.  The Inquirer also mentions that the Enterprise version will offer greater control and limit the OS to local notifications of serious issues or updates.

"Starting with the new Creators Update, you will be required to explicitly give permission for each piece of access and there's even a full privacy statement to wallow through (or more likely ignore, make tea) during install."

Here is some more Tech News from around the web:

Tech Talk

• Samsung Says EUV on Schedule for 2018 @ EETimes
• Acer 1H17 gaming LCD monitor shipments hike 103% @ DigiTimes
• 'iPhone X tourism' is illegal (and doesn't actually save you much) @ The Inquirer
• Psychonauts Is Available for Free on Humble Bundle @ [H]ard|OCP
• Giant frikkin' British laser turret to start zapping stuff next year @ The Register
• Sacre bleu! Apple's high price, marginal gain iPhone strategy leaves it stuck in the mud @ The Register

So, about that D‑Link DIR 850L wireless AC1200 you might be using ...

Subject: General Tech | September 13, 2017 - 03:03 PM | Jeremy Hellstrom
Tagged: DIR 850L wireless AC1200, ac1200, D-Link, router, security

If you have a D-Link DIR 850L wireless router or know anyone that does, you should unplug it without delay.  The Register posted a link to the recently released findings of security researcher Pierre Kim, who originally contacted D-Link in February about the flaws only to see a single patch released since then.  The vulnerabilities are rather severe, ranging from a lack of verification for firmware images, through stored default private keys to an actual buit in backdoor.  The router is not compatible with DD-WRT so you cannot resolve the issue through that method; it should be treated as a brick until D-Link resolves these issues in an update.

"A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first."

Here is some more Tech News from around the web:

Tech Talk

• Apple's adoption of Qi signals the end of the wireless charging wars @ The Register
• TSMC starts equipment move-in at Nanjing plant @ DigiTimes
• It's September 2017, and .NET lets PDFs hijack your Windows PC @ The Register

Fool me once, shame on me ... Chrome gives Symantec the cold shoulder

Subject: General Tech | September 12, 2017 - 02:29 PM | Jeremy Hellstrom
Tagged: chrome, symantec, security

The original issue dates back two years ago, when a serious security issue was discovered effecting all Norton and Symantec products which allowed an attacker to easily infect your Windows kernel without any user interaction.  Following that revelation were a round of firings at Symantec which were intended to reassure customers and security experts which were somewhat successful, until earlier this year.  In January it was discovered that Symantec provided digital certificates to verify the authenticity of several questionable sites, including ones never authorized by ICANN.  This has been enough for Google; Chrome will no longer trust older Symantec certs in version 66 and will not trust any as of version 70.  The Inquirer provides a full timeline here.

"The decision to remove Symantec certificates came as a result of the discovery of a dodgy certificate in 2015, leading to a fuller investigation that brought forward more issues with security at the beginning of this year."

Here is some more Tech News from around the web:

Tech Talk

• Optical quantum memory shrinks to the nanoscale @ Nanotechweb
• WD Gold offers 12TB of storage aimed at the data centre @ The Inquirer
• Chatbot Lets You Sue Equifax For Up To $25,000 Without a Lawyer @ Slashdot
• What's a storage burrito, you ask? Why all the newsy tidbits chopped, cooked and wrapped up @ The Register

Your Roomba is spying on you and that fridge sure looks suspicious

Subject: General Tech | July 25, 2017 - 02:54 PM | Jeremy Hellstrom
Tagged: security, roomba, irobot, greed

It should be obvious to most that the new generation of Roombas builds up and saves a map of your house, that is how it memorizes how to navigate your floors to vacuum them.  One would also think it was obvious that this information should remain private; unfortunately iRobot does not seem to understand this.  They are in discussion with Apple, Amazon and Alphabet to determine a price at which iRobot will sell them the map of the parts of your house which your Roomba has traversed.  This should be somewhat disturbing to Roomba owners and likely very exciting to anyone who likes to wander univited into other people's homes.  The security of the data is not likely to be difficult to overcome for a motivated and skilled individual so keep that in mind if you are shopping for a robot vacuum.  You can pop by The Inquirer to read iRobot chief executive Colin Angle's bizarre response to tweets from concerned customers.

"VACUUM CLEANER COMPANY iRobot, responsible for the 'smart' Roomba vacuum, is considering doing something really dumb - selling user mapping data to companies that would hand over how your house is laid out."

Here is some more Tech News from around the web:

Tech Talk

• HoloLens: Microsoft brags about AI chip in next-gen techno-goggles @ The Register
• Linux Fu: Better Bash Scripting @ Hack a Day
• Samsung warns of My Knox glitch that could see data lost forever @ The Inquirer
• Intel Exits the Maker Movement @ Slashdot
• Gone daddy gone: GoDaddy offloads its cloud businesses @ The Register
• Adobe Announces that in 2020, Flash Player Will Reach Its 'End-of-Life' in Light of Newer Technologies @ Slashdot
• MAME devs are cracking open arcade chips to get around DRM @ Ars Technica
• λutonomous-λ SmartDesk 2 @ Modders-Inc
• Snopes is heading into a battle for its very existence (it's true) @ The Inquirer

Devil's Ivy, a voyeurs dream come true

Subject: General Tech | July 20, 2017 - 03:50 PM | Jeremy Hellstrom
Tagged: iot, Devil's Ivy, cameras, security, gSOAP

gSOAP is a open-source code library which allows hardware to be configured and controlled via web connections and is used by hundreds of companies including Axis, Microsoft, IBM, Adobe and Xerox.  It has a vulnerability which allows an attacker to trigger a stack overflow by sending a specific POST command over port 80 to a device, which in the case of cameras allows you to watch the live feed.  The vulnerability was patched in an update to gSOAP so future products will not have this issue, however any camera built on that library which currently in use is vulnerable.  The manufacturers would have to create an update to their own software and push it out to all the cameras currently in use to resolve this issue, and if there is one thing we know for sure about IoT products, it is that these patches do not tend to be created, let alone pushed out.

For more depressing details you can pop by The Register.

"Security researchers investigating internet-connected video cameras have uncovered a bug that could conceivably leave millions of devices open to easy pwnage."

Here is some more Tech News from around the web:

Tech Talk

• Intel has 'eliminated' its entire wearables division @ The Inquirer
• Microsoft will support Windows 10 on Clover Trail after all (well, a bit) @ The Inquirer
• Ethereum Co-Founder Says Cryptocurrencies Are 'a Ticking Time Bomb' @ Slashdot
• The Kaspersky Palaeontology of Cybersecurity Conference @ TechARP
• Amazon Echo Show @ Hardware Secrets
• Apple hurls out patches for dozens of security holes in iOS, macOS @ The Register

Does this look infected to you? Google launches a SAMBA app for Android

Subject: General Tech | July 10, 2017 - 12:52 PM | Jeremy Hellstrom
Tagged: wannacrypt, petya, security, samba, smbv1, google, andriod

If you missed out on having all your files encrypted and the chance to send bitcoin to a bunch of misanthropes who have no plans on unencrypting those files after you do, then download this new app from Google Play!  Then you can enable SMBv1 on all your other machines so your Android can share the virus amongst your other machines, perhaps you could even share this unforgettable experience  with your friends and family.  Do you really trust that the patches applied to this outdated network file sharing protocol will protect from the next wave of attacks or will you follow the advice from Microsoft's Ned Pyle that The Register quoted, "Stop using SMBv1".  There are a lot of other ways to share your files, most are even more effective than SMBv1 and are certainly more secure.

"This made Google's decision so odd, The Register wondered if the app were faking the Google brand, but no: the source code linked from the app is at the Chocolate Factory's GitHub repo."

Here is some more Tech News from around the web:

Tech Talk

• Microsoft 365 bundles Windows 10 and Office for SMBs and enterprises @ The Inquirer
• 48-year-old Multics OS comes back to life on the Raspberry Pi @ The Inquirer
• Someone's phishing US nuke power stations. So far, no kaboom @ The Register
• The Palaeontology of Cyberattacks by Vitaly Kamluk @ TechARP
• The BitScout Free Cyber Forensics Tool @ TechARP
• Eugene Kaspersky Interview : No Kremlin Ties! @ TechARP
• A Poor-Man’s Laser CNC Engraver @ Hack a Day

Change that default RasPi password, unless you meant to be donating cryptocurrency

Subject: General Tech | June 13, 2017 - 12:31 PM | Jeremy Hellstrom
Tagged: security, cryptocurrency, Raspberry Pi

If you are using a Raspberry Pi and did not set up two factor authentication or even worse, never changed the default passwords on the system then there is a very good chance you are mining for someone other than yourself.  There is a new piece of malware out there, in addition to the many which already exist, targeting Raspberry Pi machines and recruiting them into a mining group, instead of the usual usage which is to enlist them in a botnet for DDOS attacks.  Hack a Day has some additional suggestions, over and above the glaringly obvious recommendation to not keep default passwords; at least in this particular case they are not hard coded into the system.

"According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine some form of cryptocurrency. The other trojan sets up a proxy server."

Here is some more Tech News from around the web:

Tech Talk

• Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke @ The Register
• Why Ethereum Is Outpacing Bitcoin @ Slashdot
• WiMax routers from Huawei and ZTE are vulnerable to authentication bypass attacks @ The Inquirer
• Mac ransomware author is giving away malicious code to script kiddies @ The Register
• Biostar, ASRock, Colorful see rising demand for mining motherboards, says paper @ DigiTimes
• Move over, Stuxnet: Industroyer malware linked to Kiev blackouts @ The Register

Windows 10 S ... the S could stand for secure

Subject: General Tech | June 9, 2017 - 02:29 PM | Jeremy Hellstrom
Tagged: Windows 10 S, security

Microsoft recently pointed out that their new lite version of Windows 10 for students, Windows 10 S, is completely immune to all known malware.  This does make sense, the OS is simply unable to install anything that is not from the Windows Store, which does not host any official malware, even if some of the available programs are not entirely useful.  That security will last as long as no one figures out a way to fake the file validation and the connection to Microsoft's online store, or manages to get a malware infected file approved for sale on the store.  Apple has had some experience which prove that is not an impossibility.   Pop by Slashdot for more.

You could also chose to go with the OS of choice for financial institutions and various other industries, Windows XP Embedded with the Enhanced Write Filter.  Generally secure and can be reset with a simple reboot ... in most cases.

"However, if you want to guarantee your safety from ransomware, then Microsoft points out there's an even more secure option to consider -- Windows 10 S. The new, hardened Windows 10 variant only runs apps from the Windows Store, which means it can't run programs from outside Microsoft's ecosystem, and that includes malware. Which is why, as Microsoft says, "No known ransomware works against Windows 10 S."

Here is some more Tech News from around the web:

Tech Talk

• Computex 2017: Corsair goes high-concept @
• Blackberry KeyOne consumer alert: You bend it, you break it @ The Inquirer
• Linksys WRT3200ACM AC3200 Wireless Router @ Kitguru
• Skype Retires Older Apps for Windows, Linux @ Slashdot
• COUGAR ARMOR Gaming Chair Review @ NikKTech