Texting troubles with 2FA

Subject: General Tech | September 19, 2017 - 02:07 PM |
Tagged: security, sms, 2fa

Two factor authentication is the way to go when dealing with important information online, unfortunately the most common way of enabling 2FA has proven rather vulnerable.  With just your name, surname and phone number an unsavoury type could use a vulnerability on cellular networks to gain access to your accounts.  The example given over at Slashdot is of a Coinbase wallet with 2FA, registered with a Gmail address also protected by 2FA, which the security researchers easily took control of.  Take a look at the article for more details on the SS7 network vulnerabilities this attack exploits as well as better ways of making use of 2FA. 

If you do intend to continue to use SMS as part of your 2FA, at least consider disabling the feature on your phone which allows you to breifly read a text without unlocking your phone.

cell-tower-chemtrails-hendersonville-header11.jpg

"The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Proper per app permissions arriving to Windows 10

Subject: General Tech | September 14, 2017 - 02:40 PM |
Tagged: microsoft, windows 10, security

The new Creators Update for Windows 10 just received a noteworthy upgrade.  Installed applications will now need your agreement to collect and transmit metadata such as your location and other information.  Many of the concerns raised by Windows 10 users focused on the current configuration which defaults to apps being allowed permission to track and send information; it can be turned off by a user but only after the fact.  Now applications will be installed with telemetry disabled by default unless a user agrees to the collection of information during the installation.  There are cases in which it is beneficial to send your usage information, especially Windows error reports, but that was no excuse to enable that ability across the board.  The Inquirer also mentions that the Enterprise version will offer greater control and limit the OS to local notifications of serious issues or updates.

index.png

"Starting with the new Creators Update, you will be required to explicitly give permission for each piece of access and there's even a full privacy statement to wallow through (or more likely ignore, make tea) during install."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

So, about that D‑Link DIR 850L wireless AC1200 you might be using ...

Subject: General Tech | September 13, 2017 - 03:03 PM |
Tagged: DIR 850L wireless AC1200, ac1200, D-Link, router, security

If you have a D-Link DIR 850L wireless router or know anyone that does, you should unplug it without delay.  The Register posted a link to the recently released findings of security researcher Pierre Kim, who originally contacted D-Link in February about the flaws only to see a single patch released since then.  The vulnerabilities are rather severe, ranging from a lack of verification for firmware images, through stored default private keys to an actual buit in backdoor.  The router is not compatible with DD-WRT so you cannot resolve the issue through that method; it should be treated as a brick until D-Link resolves these issues in an update.

DIR850L1664x936FRONT.png

"A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Fool me once, shame on me ... Chrome gives Symantec the cold shoulder

Subject: General Tech | September 12, 2017 - 02:29 PM |
Tagged: chrome, symantec, security

The original issue dates back two years ago, when a serious security issue was discovered effecting all Norton and Symantec products which allowed an attacker to easily infect your Windows kernel without any user interaction.  Following that revelation were a round of firings at Symantec which were intended to reassure customers and security experts which were somewhat successful, until earlier this year.  In January it was discovered that Symantec provided digital certificates to verify the authenticity of several questionable sites, including ones never authorized by ICANN.  This has been enough for Google; Chrome will no longer trust older Symantec certs in version 66 and will not trust any as of version 70.  The Inquirer provides a full timeline here.

1406048971_Symantec-Logo.png

"The decision to remove Symantec certificates came as a result of the discovery of a dodgy certificate in 2015, leading to a fuller investigation that brought forward more issues with security at the beginning of this year."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Your Roomba is spying on you and that fridge sure looks suspicious

Subject: General Tech | July 25, 2017 - 02:54 PM |
Tagged: security, roomba, irobot, greed

It should be obvious to most that the new generation of Roombas builds up and saves a map of your house, that is how it memorizes how to navigate your floors to vacuum them.  One would also think it was obvious that this information should remain private; unfortunately iRobot does not seem to understand this.  They are in discussion with Apple, Amazon and Alphabet to determine a price at which iRobot will sell them the map of the parts of your house which your Roomba has traversed.  This should be somewhat disturbing to Roomba owners and likely very exciting to anyone who likes to wander univited into other people's homes.  The security of the data is not likely to be difficult to overcome for a motivated and skilled individual so keep that in mind if you are shopping for a robot vacuum.  You can pop by The Inquirer to read iRobot chief executive Colin Angle's bizarre response to tweets from concerned customers.

vacuuming-money.jpg

"VACUUM CLEANER COMPANY iRobot, responsible for the 'smart' Roomba vacuum, is considering doing something really dumb - selling user mapping data to companies that would hand over how your house is laid out."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Devil's Ivy, a voyeurs dream come true

Subject: General Tech | July 20, 2017 - 03:50 PM |
Tagged: iot, Devil's Ivy, cameras, security, gSOAP

gSOAP is a open-source code library which allows hardware to be configured and controlled via web connections and is used by hundreds of companies including Axis, Microsoft, IBM, Adobe and Xerox.  It has a vulnerability which allows an attacker to trigger a stack overflow by sending a specific POST command over port 80 to a device, which in the case of cameras allows you to watch the live feed.  The vulnerability was patched in an update to gSOAP so future products will not have this issue, however any camera built on that library which currently in use is vulnerable.  The manufacturers would have to create an update to their own software and push it out to all the cameras currently in use to resolve this issue, and if there is one thing we know for sure about IoT products, it is that these patches do not tend to be created, let alone pushed out.

For more depressing details you can pop by The Register.

images.jpg

"Security researchers investigating internet-connected video cameras have uncovered a bug that could conceivably leave millions of devices open to easy pwnage."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Does this look infected to you? Google launches a SAMBA app for Android

Subject: General Tech | July 10, 2017 - 12:52 PM |
Tagged: wannacrypt, petya, security, samba, smbv1, google, andriod

If you missed out on having all your files encrypted and the chance to send bitcoin to a bunch of misanthropes who have no plans on unencrypting those files after you do, then download this new app from Google Play!  Then you can enable SMBv1 on all your other machines so your Android can share the virus amongst your other machines, perhaps you could even share this unforgettable experience  with your friends and family.  Do you really trust that the patches applied to this outdated network file sharing protocol will protect from the next wave of attacks or will you follow the advice from Microsoft's Ned Pyle that The Register quoted, "Stop using SMBv1".  There are a lot of other ways to share your files, most are even more effective than SMBv1 and are certainly more secure.

seriously.png

"This made Google's decision so odd, The Register wondered if the app were faking the Google brand, but no: the source code linked from the app is at the Chocolate Factory's GitHub repo."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Change that default RasPi password, unless you meant to be donating cryptocurrency

Subject: General Tech | June 13, 2017 - 12:31 PM |
Tagged: security, cryptocurrency, Raspberry Pi

If you are using a Raspberry Pi and did not set up two factor authentication or even worse, never changed the default passwords on the system then there is a very good chance you are mining for someone other than yourself.  There is a new piece of malware out there, in addition to the many which already exist, targeting Raspberry Pi machines and recruiting them into a mining group, instead of the usual usage which is to enlist them in a botnet for DDOS attacks.  Hack a Day has some additional suggestions, over and above the glaringly obvious recommendation to not keep default passwords; at least in this particular case they are not hard coded into the system.

ethereum.jpg

"According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine some form of cryptocurrency. The other trojan sets up a proxy server."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Windows 10 S ... the S could stand for secure

Subject: General Tech | June 9, 2017 - 02:29 PM |
Tagged: Windows 10 S, security

Microsoft recently pointed out that their new lite version of Windows 10 for students, Windows 10 S, is completely immune to all known malware.  This does make sense, the OS is simply unable to install anything that is not from the Windows Store, which does not host any official malware, even if some of the available programs are not entirely useful.  That security will last as long as no one figures out a way to fake the file validation and the connection to Microsoft's online store, or manages to get a malware infected file approved for sale on the store.  Apple has had some experience which prove that is not an impossibility.   Pop by Slashdot for more.

You could also chose to go with the OS of choice for financial institutions and various other industries, Windows XP Embedded with the Enhanced Write Filter.  Generally secure and can be reset with a simple reboot ... in most cases.

windows-apps-topic.png

"However, if you want to guarantee your safety from ransomware, then Microsoft points out there's an even more secure option to consider -- Windows 10 S. The new, hardened Windows 10 variant only runs apps from the Windows Store, which means it can't run programs from outside Microsoft's ecosystem, and that includes malware. Which is why, as Microsoft says, "No known ransomware works against Windows 10 S."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

AI to the rescue? Microsoft assimilates the security company Hexadite

Subject: General Tech | June 8, 2017 - 12:42 PM |
Tagged: microsoft, hexadite, windows defender, security

If you have never heard of Hexadite you are not alone, the online security company was formed in 2014, headquartered in Boston but based in Tel-Aviv.  As it was just purchased by Microsoft for around $100 million so they can integrate Hexadite's Automated Incident Response Solution into their Windows Defender Advanced Threat Protection.  AIRS is not antivirus software, instead it is a tool that integrates with existing software and monitors for any alerts.  Once an alert is detected the tool automatically investigates that alert and searches for solutions, in theory saving your security teams sanity by vastly reducing the number of alerts they must deal with directly.  It will be interesting to see if this has an effect on the perception of companies and users as to the effectiveness of Windows Defender. 

More over at The Inquirer.

Capture.PNG

"Hexadite's technology and talent will augment our existing capabilities and enable our ability to add new tools and services to Microsoft's robust enterprise security offerings."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer