Stop paying the ransomware you idiots! You get nothing back and encourage them to continue!

Subject: General Tech | December 16, 2016 - 12:47 PM |
Tagged: ransomware, security, idiots, backup

To anyone working in the field, it will come as no surprise that almost half of the 1600 businesses and consumers in the survey quoted at The Inquirer have been the victim of a ransomware attack.  What will come as a disappointment to you is that 70% of those who were infected paid the the ransom, 25% of them between $20,000 to $40,000.  Shockingly the majority of those who paid the ransom got nothing back; after all how could someone who makes money by purposefully infecting machines not honour their word?

If you are infected with ransomware you have lost the data, pure and simple.  Reimage and move on, this is why you have backups.  It is painful and frustrating but if you pay the bitcoins you are not going to get anything back and are encouraging them to continue by making this a lucrative business.  Just as it is with spam, it takes only a tiny percentage to fall for it to make it profitable.  Go and back your stuff up, twice.  If you need a stocking stuffer for someone get them an external drive or a subscription to an online backup service, look into CryptoDrop or a similar program.  Just don't give them bitcoins

536px-Triple-facepalm.jpg

"The report suggested that as many as 46 per cent of the respondents had been affected by ransomware and that 70 per cent of these had admitted to paying the ransom, contrary to the advice of law enforcement agencies."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Friends don't let friends perform unattended updates ... or Bitlocker be broken

Subject: General Tech | November 30, 2016 - 02:10 PM |
Tagged: bitlocker, microsoft, windows 10, security, hack

Is Bitlocker cramping your voyeuristic cravings and preventing you from snooping on your loved ones or strangers?  Assuming you do not instead seek medical help for your problem, all you need to do is wait for Windows to perform a version update and for the user to get bored and walk away.  Hop onto their machine and press SHIFT+F10 to get a command prompt which will be running at root privileges and take advantage of the fact that Windows disables Bitlocker while installing an updated version of Windows.  This will not work for all updates, it needs to be a major OS update such as the move to Anniversary Edition which changes the version of Windows installed on the machine.

Microsoft is working on a fix, in the meantime sticking with Windows Long Term Service Branch or slighly modifying how updates are pushed via WSUS or SCCM will ensure this vulnerability cannot be leveraged.  You can also take the simple measure of sticking around when major updates occur.  Pop over to Slashdot for more information.

windows-10-update-stuck-at-32.jpg

"This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Tesla stores your Owner Authentication token in plain text ... which leads to a bad Ashton Kutcher movie

Subject: General Tech | November 25, 2016 - 12:52 PM |
Tagged: Android, Malware, hack, tesla, security

You might expect better from Tesla and Elon Musk but apparently you would be dissappointed as the OAuth token in your cars mobile app is stored in plain text.  The token is used to control your Tesla and is generated when you enter in your username and password.  It is good for 90 days, after which it requires you to log in again so a new token can be created.  Unfortunately, since that token is stored as plain text, someone who gains access to your Android phone can use that token to open your cars doors, start the engine and drive away.  Getting an Android user to install a malicious app which would allow someone to take over their device has proven depressingly easy.  Comments on Slashdot suggest it is unreasonable to blame Tesla for security issues in your devices OS, which is hard to argue; on the other hand it is impossible for Telsa to defend choosing to store your OAuth in plain text.

images.jpg

"By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Have tape over your webcam? Might want to fill your headphones with wax as well!

Subject: General Tech | November 24, 2016 - 12:35 PM |
Tagged: security, hack, audio, Realtec

Security researchers have discovered a way to flip an output channel on onboard Realtec audio into an input channel, thus turning your headphones into an unpowered microphone.  The ability of a speaker or headphone to be used as a microphone is not news to anyone who has played around with headphones or input jacks, but it is possible some readers had deprived childhoods and have never tried this.  While you cannot mitigate this vulnerability permanently you could certainly notice it as your headphones would no longer play audio if the port is configured as input. 

Drop by Slashdot a link, and if you have never tried this out before you really should find an old pair of headphones and experiment with ports as well as snipping off one side of a pair of earbuds.  One supposes iPhone 7 users need not worry.

main-qimg-6c2713171e56fb4f0dda88717a6faae7-c.jpg

"In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially "retasks" the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn't a driver fix, either."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Touchless jackpotting, making ATM's disgorge their contents remotely

Subject: General Tech | November 23, 2016 - 12:50 PM |
Tagged: hack, bank, atm, security, cobalt

Imagine walking down the street, only to notice an ATM spewing money out of its slots and into a bag held by a shady looking character; but not in a video game.  In at least 14 countries including Russia, the UK, the Netherlands and Malaysia, hackers are using a program dubbed Cobalt to conduct remote logical attacks on ATMs.  These attacks cause the ATM to empty itself, into the waiting hands of an accomplice who only needs to show up at the appropriate time.  As the attacks are conducted remotely the mule may have only the slightest connection to the hackers that compromised the banking system which makes them very hard to catch.  The Inquirer has links to more information on Cobalt, unfortunately they do not have any details on fortunate times or locations to be present at.

ATM-hack.jpg

"HACKERS HAVE MANAGED to hack cash machines so that they do what everyone who has ever used one has wanted them to do, which is just spit out cash like it was going out of fashion."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Love to argue on the internet? Why not leave your mark on the IoT!

Subject: General Tech | November 21, 2016 - 12:26 PM |
Tagged: iot, security

Hack a Day takes you on a bit of a trip through memory lane to demonstrate how current programmers can have a major influence on the standards that the Internet of Things will eventually adopt.  If you remember X.25's loss to TCP/IP thanks to the volume of adoption the latter had, or mourn the loss of SOAP's XML based transmission to JSON then you have an idea what they are discussing.  

If a large enough group of programmers choose a particular communications protocol or software library to design connected household appliances, manufacturers will find it easier and more economical to base their products on the skills of the programmers who work for them.  Any security and performance enhancements that come about because of this would be an added benefit to the company and of great value to the end users.  Pick up that keyboard and see if you can't turn the tide and plug up the I/O ports of the death toaster.

internet-of-things-toaster-thumb-1.jpg

"In the long term however it’s unlikely we’re going to let one company become the backhaul for consumer Internet of Things traffic. It’s unlikely that there will be one platform to rule them all. I don’t think it’s going to be long till IFTTT starts to see some complaints about that, and inevitably clones."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Weird, the cell signal is really strong over by the printer

Subject: General Tech | November 3, 2016 - 12:51 PM |
Tagged: security

Just how easy is it to intercept your cellphone signals, be it texting or calling?  Julian Oliver showed off the simplicity of it by adding a GSM base station to the internals of an HP printer and thanks to its proximity to your phone it easily overpowers the signal sent by your providers cell tower.  It can text and call you or intercept anything sent from your phone once your device connects, showing just how easily unencrypted cell signals can be monitored.  This particular project is for an art show with warnings displayed for attendees, as this is to highlight the simplicity of eavesdropping as opposed to the nefarious purposes it could easily server.  Drop by Ars Technica for more detail, including the code he used.

si-5.jpg

"Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

ARM plans to mbed itself into the IoT, for better or worse

Subject: General Tech | October 26, 2016 - 01:08 PM |
Tagged: arm, Mbed OS, iot, security

Is a single point of failure more or less secure than multiple points?  That is the question IoT designers should make when considering ARM's new mbed OS, designed to rein in the fiasco which is the current state of security in the IoT market.  On the one hand this OS will run on just about any device you could want, even if you prefer your device remain on MIPS, Linux or another OS and regardless of your back end provider.  It will allow encrypted updates to be pushed out to devices software or firmware from a single source and the companies which use it will be charge on a pay per use scheme as opposed to a fixed cost.

On the sinister hand, this means that when someone manages to exploit an unforeseen vulnerability in mbed, the communications between ARM and the devices or the factory set private keys, they will be able to own every single mbed device out there.  That is unfortunately merely a matter of time and so we wait to hear from ARM as to how they plan to partition the devices which use mbed and other measures they will develop to prevent a worse DDoS than the Dyn DNS attack last week.  You can take a deeper look at mbed's structure as well as ARM's new Cortex-M33 and Cortex-M23 microcontrollers over at The Register.

index.png

"So ARM has come up with mbed Cloud, a software-as-a-service platform that securely communicates with firmware in devices to install fixes and feature updates. Product makers pay to remotely manage all their sold kit. Crucially, they pay for what they use – whether it's pushing updates, or connecting millions of units, and so on."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Know someone who uses the Johnson & Johnson Animas OneTouch Ping insulin pump?

Subject: General Tech | October 5, 2016 - 12:43 PM |
Tagged: security, hack, iot

The good news about this hack is that you would need good timing and physical proximity to the wireless remote which instructs the pump to administer insulin; the bad news is that this is all that is needed and it could result in the death or hospitalization of the target.  The vulnerability stems from the usual problem, the transmission between the remote and pump is done in the clear letting anyone who is looking retrieve serial numbers and codes.  With that information you can then trigger a dose to be delivered or quite feasibly change the default amount of dosage the pump delivers, as was done previous with a different model.

IoT security as it applies to fridges and toasters is one thing; medical devices quite another.  News of unauthorized access to pacemakers and other drug delivery systems which could result in death is not uncommon, yet companies continue to produce insecure systems.  Adding even simply encryption to transmissions as well as firmware based dosage sizes should be trivial after the release of a product and even easier before it is released.  Keep this in mind when you are seeking medical care, choosing devices which are less likely to kill you because of shoddy security makes sense.  You can pop by Slashdot for links to some stories or wade into the comments if you so desire.

1.1.2.1_Ping.jpg

"Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The toasters are revolting!

Subject: General Tech | September 26, 2016 - 01:01 PM |
Tagged: iot, security, upnp

Over the weekend you might have noticed some issues on your favourite interwebs as there was a rather impressively sized DDOS attack going on.  The attack was a mix of old and new techniques; they leveraged the uPNP protocol which has always been a favourite vector but the equipment hijacked were IoT appliances.  The processing power available in toasters, DVRs and even webcams is now sufficient to be utilized and is generally a damned sight easier to control than even an old unpatched XP machine.  This does not spell the end of the world which will likely be predicted on the cable news networks but does further illustrate the danger in companies producing inherently insecure IoT devices.  If you are not sure what uPNP is, or are aware but do not currently need it, consider disabling it on your router or think about setting up something along the lines of ye olde three router solution

Hack a Day has links to a bit more information on what happened here.

simulant_2.jpg

"Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day