Know anyone who uses the Intel Driver Update Utility? Update the updater ASAP

Subject: General Tech | January 21, 2016 - 12:52 PM |
Tagged: Intel, intel driver update utility, security

The Intel Driver Update Utility is not the most commonly found application on PCs but someone you know may have stumbled upon it or had it installed by Geek Squad or the local equivalent.  Since Windows Vista the tool has been available, it checks your system for any Intel parts, from your APU to your NIC and then looks for any applicable drivers that are available.  Unfortunately it was doing so over a non-SSL URL which leaves the utility wide open to a man in the middle attack and you really do not want a compromised NIC driver.  The Inquirer reports today that Intel quietly updated the tool on January 19th to resolve the issue, ensuring all communication and downloads are over SSL.  If you know anyone using this tool, recommend they update it immediately.


"Intel has issued a fix for a major security vulnerability in a driver utility tool that could have allowed a man-in-the-middle attack and a malware maelstrom on victims' computers."

Here is some more Tech News from around the web:

Tech Talk


Source: The Inquirer

Just fondle your mouse to log into Windows?

Subject: General Tech | January 20, 2016 - 12:19 PM |
Tagged: fingerprint, synaptics, ironveil, security

Synaptics, the company most likely responsible for the trackpad on your laptop has released a new product, a 4x10mm fingerprint sensor which goes by the name of IronVeil.  The idea behind the product is to incorporate it into peripherals and pair it with Windows Passport to allow you to log in by touching your mouse or keyboard, similar to the current generation of cellphones.  Synaptics also suggests it could be used in eSports to ensure that the person behind the mouse is indeed who they claim to be.  The Tech Report tried out a Thermaltake Black V2 mouse with the sensor embedded and talk about their experiences with the mouse as well as introduce you to the FIDO Alliance and some of the authentication process which occurs behind the scenes in their recent article.

One cannot help but point out that while passwords can be hashed and salted, the same cannot be said for fingerprints which leads us back to previously mentioned concerns about the security of the online storage databases these prints would be stored in.  The eternal battle of convenience versus security rages on.


"Synaptics' IronVeil is a tiny fingerprint sensor module that serves as the foundation for a variety of new authentication techniques for home and business users alike. We've spent a couple weeks with a pre-production IronVeil mouse, and we've explored how it might be used in practice."

Here is some more Tech News from around the web:

Tech Talk

It's fixed now but for a while there your Ring let people into more than just the door

Subject: General Tech | January 13, 2016 - 12:27 PM |
Tagged: ring, iot, security, gainspan

The Ring WiFi enabled video doorbell, with optional smartlock compatibility to let visitors in remotely, would also share your WiFi password to anyone who knew how to ask.  Just use a Torx screwdriver to pop the doorbell off, press the setup button on the back and connect to the Ring and you can get the networks SSID and PSK in plain text.  Thankfully Ring has pushed out an update to resolve this issue but it is a perfect demonstration of the abysmal security on IoT devices and the lack of any thought about security implications by users or makers of these new devices.  The Register also mentions the Fitbit Aria bathroom scale as being vulnerable in the exact same way as it also uses Gainspan wireless, though at least the scale is inside your house, not accessible to anyone wandering by.


"Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Valve Comments on Christmas Security Issues

Subject: General Tech | December 30, 2015 - 11:48 PM |
Tagged: valve, steam, security, Privacy

On Christmas Day, Valve had a few hours of problems. Their servers were being overloaded by malicious traffic. The best analogy that I could provide would be a bad organization who sent a thousand people to Walmart, to do nothing but stand in the check-out line and ask the cashier about the time. This clogs up the infrastructure, preventing legitimate customers from making their transactions. This was often done after demanding a ransom. Don't pay? Your servers get clogged at the worst time.


A little too much sharing...

There are two ways to counter-act a DDoS attack: add hardware or make your site more efficient.

When a website is requested, the server generates the page and sends it to the customer. This process is typically slow, especially for complicated sites that pull data from one or more database(s). It then feeds this data to partners to send to customers. Some pages, like the Steam Store's front page, are mostly the same for anyone who views it (from the same geographic region). Some pages, like your order confirmation page, are individual. You can save server performance by generating the pages only when they change, and giving them to relevant users from the closest delivery server.

Someone, during a 20-fold spike in traffic relative to the typical Steam Sale volume, accidentally started saving (caching) pages with private information and delivering them to random users. This includes things like order confirmation and contact information pages for whatever logged-in account generated them. This is pretty terrible for privacy. Again, it does not allow users to interact with the profiles of other users, just see the results that other users generated.

But this is still quite bad.

Users complained, especially on Twitter, that Valve should have shut down their website immediately. From my position, I agree, especially since attempting to make a purchase tells the web server to pull the most sensitive information (billing address, etc.) from the database. I don't particularly know why Valve didn't, but I cannot see that from the outside.

It's probably a simple mistake to make, especially since Valve seems to blame a third-party for the configuration issue. On the other hand, that also meant that Valve structured their website such that sensitive information is in the hands of third-parties to properly cache. That might have been necessary, depending on their browser compatibility requirements, but I would hope that it's something Valve restructures in the future. (For instance, have the caching server store the site's framework, and fill in the individual's data with a JavaScript request to another, uncached server.)

But again, I don't work there. I don't know the details.

Source: Valve

Sigh ... your Windows 10 device is probably only as secure as Microsoft's database

Subject: General Tech | December 29, 2015 - 02:13 PM |
Tagged: microsoft, windows 10, security

If your Windows 10 machine uses your Microsoft account as the login then your system's recovery key now resides on a Microsoft database in the cloud.  That recovery key is used in the file system encryption present on Windows 10 systems.  The backup is good news for people who find themselves with computer problems and need access to the key from a different machine, however this is also a huge security concern as your key could be stolen or demanded from Microsoft.  Follow the link from the Slashdot article to find out how to delete that back up recovery key and consider using a domain or workgroup style account as opposed to a Microsoft account to log into your machine.


"The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Update your AntiVirus software and you won't have to worry

Subject: General Tech | December 10, 2015 - 01:37 PM |
Tagged: security, avg, Kaspersky, mcafee

To reverse the usual order, the good news is that AVG fixed the issue a while ago, as have Intel, owner of McAfee, as well as Kaspersky.  The bad news is that this exploit is rather nasty and was completely avoidable with a bit of forethought.  Of all the programs to follow a predictable pattern, AV software is the last one you would want to see do so.  There is a tool over at github to allow you to check your own vulnerability.  Personal machines should be good to go but as The Register mentions, at least one Enterprise level AV program is vulnerable and those definitions are often updated along a different path that consumer level products. 

Chances are you are safe, but you should probably double check.


"In March, researchers at security firm enSilo found a serious flaw in popular free antivirus engine AVG Internet Security 2015. They found that the software was allocating memory for read, write, and execute (RWX) permissions in a predictable address that an attacker could use to inject code into a target system."

Here is some more Tech News from around the web:

Tech Talk


Source: The Register

The Internet of Things loves to share

Subject: General Tech | November 26, 2015 - 12:22 PM |
Tagged: idiots, iot, security

You would think people would be be taken aback if someone suggested saving money by using the same key on every new house built in a neighbourhood, if so you don't work for companies developing hardware for the Internet of Things.  In a recent survey of  4,000 embedded devices from 70 hardware makers, Sec Consult found that many had the same hardwired SSH login keys and server-side SSL certificates.  The numbers they provided The Register were a total 580 private keys were found distributed over all the analyzed devices, of which at least 230 are in already in use on the internet.  To be fair this is not uncommon in consumer level firmware as companies do not even bother to check over the source code let alone change the security keys held within but it is a huge security risk.  For a glimpse at how bad some of these supposedly secure certs and keys are read on at The Register.


"Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

What the hell Dell?

Subject: General Tech | November 24, 2015 - 12:42 PM |
Tagged: dell, superfish, security, edellroot

As Scott mentioned yesterday, Dell refused to learn from Lenovo's lesson and repeated the exact same mistake with eDellRoot, a self-signed root CA cert with an unknown purpose.  Unlike SuperFish which was to allow targeted ads to be displayed eDellRoot serves an unclear purpose apart from a mention of Microsoft-like "easier customer support" but it exposes you to the exact same security risks as SuperFish does.  You could remove the cert manually, however as it resides in Dell.Foundation.Agent.Plugins.eDell.dll it will return on next boot and can return on fresh Windows installs via Dell driver updates, something which will be of great concern to their business customers.

Dell has finally responded to the issue, "The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability." and provided a process to remove the certificate from the machine permanently in this Word Document.  You can check for the presence of the cert on your machine in those two links. 

However the best was yet to come as researchers have found a second cert as well as an expired Atheros Authenticode cert for BlueTooth and private key on a limited amount of new Dell computers as well.  As Dell made no mention of these additional certificates in their statement to the press it is hard to give them the benefit of the doubt.  The Bluetooth cert will not make you vulnerable to a man in the middle attack however the second cert is as dangerous as eDellRoot and can be used to snoop on encrypted communications.  The second cert was found on a SCADA machine which is, as they say, a bad thing. 

We await Dell's response to the second discovery as well as further research to determine how widespread the new certs actually are.  So far Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops have been found to contain these security issues.  The chances of you falling victim to a man in the middle attack thanks to these security vulnerabilities are slim but not zero so be aware of them and keep your eyes out for them on your systems.  With Lenovo and Dell both being caught, it will be interesting to see if HP and other large vendors will learn this lesson or if it will take a third company being caught exposing their customers to unnecessary risks.


"A second root certificate and private key, similar to eDellRoot along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Should you fear SilverPush?

Subject: General Tech | November 20, 2015 - 02:22 PM |
Tagged: security, silverpush, fud

SilverPush has been around for a while but was recently reverse-engineered so that it could be investigated by anyone with an interest in their phones security.  It is software that is often bundled in advertisements or streamed media that takes advantage of your phones the far greater range of audio sensitivity and the fact that you can communicate information via audio signals.  This could allow an app to communicate with your phone without your knowledge, to collect data from your phone or even to provide contextual ads on your phone.

However as you can see from the list of apps which The Register links to, there is not much likelihood that you have an app which has SilverPush enabled installed on your phone and that is the real key.  If you do not have an app which is listening for audio signals on those frequencies then you will not suffer the effects of SilverPush.  The moral of the story is that your phones security starts with you, if you download random free apps and allow them full access to your phone then you should not be surprised by this sort of thing.


"SilverPush's software kit can be baked into apps, and is designed to pick up near-ultrasonic sounds embedded in, say, a TV, radio or web browser advert. These signals, in the range of 18kHz to 19.95kHz, are too high pitched for most humans to hear, but can be decoded by software."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Jamming WiFi on the cheap

Subject: General Tech | October 13, 2015 - 01:07 PM |
Tagged: security, Raspberry Pi

With a Raspberry Pi and a cheap WiFi dongle a researcher has shown an effective way to completely block 2.4Ghz transmissions in a 120 metre radius.  By disabling the backoff wait time, aka Short Interframe Space (SIFS), which is accomplished by firmware modification the WiFi dongle will continually resend a frame and block any device with a higher bitrate.  This will block WiFI, Bluetooth and most IoT devices including security systems.  They did not provide the source code used in this procedure, so you won't be able to block your friends for your own amusement but security researchers can reach out to the inventor for access to see if there are ways to circumvent this vulnerability.  The story at The Register also has some information on TKIP vulnerabilities and possible ways to block transmissions on the 5GHz band.


"The wireless security boffin presented his work at the BruCon conference last week and revealed his weapon of choice is a bargain WiFi dongle bought off Amazon that, when paired with a Raspberry Pi and a small amplifier, can block 2.4Ghz transmissions for up to 120 metres."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register