Have tape over your webcam? Might want to fill your headphones with wax as well!

Subject: General Tech | November 24, 2016 - 12:35 PM |
Tagged: security, hack, audio, Realtec

Security researchers have discovered a way to flip an output channel on onboard Realtec audio into an input channel, thus turning your headphones into an unpowered microphone.  The ability of a speaker or headphone to be used as a microphone is not news to anyone who has played around with headphones or input jacks, but it is possible some readers had deprived childhoods and have never tried this.  While you cannot mitigate this vulnerability permanently you could certainly notice it as your headphones would no longer play audio if the port is configured as input. 

Drop by Slashdot a link, and if you have never tried this out before you really should find an old pair of headphones and experiment with ports as well as snipping off one side of a pair of earbuds.  One supposes iPhone 7 users need not worry.

main-qimg-6c2713171e56fb4f0dda88717a6faae7-c.jpg

"In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially "retasks" the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn't a driver fix, either."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Touchless jackpotting, making ATM's disgorge their contents remotely

Subject: General Tech | November 23, 2016 - 12:50 PM |
Tagged: hack, bank, atm, security, cobalt

Imagine walking down the street, only to notice an ATM spewing money out of its slots and into a bag held by a shady looking character; but not in a video game.  In at least 14 countries including Russia, the UK, the Netherlands and Malaysia, hackers are using a program dubbed Cobalt to conduct remote logical attacks on ATMs.  These attacks cause the ATM to empty itself, into the waiting hands of an accomplice who only needs to show up at the appropriate time.  As the attacks are conducted remotely the mule may have only the slightest connection to the hackers that compromised the banking system which makes them very hard to catch.  The Inquirer has links to more information on Cobalt, unfortunately they do not have any details on fortunate times or locations to be present at.

ATM-hack.jpg

"HACKERS HAVE MANAGED to hack cash machines so that they do what everyone who has ever used one has wanted them to do, which is just spit out cash like it was going out of fashion."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Love to argue on the internet? Why not leave your mark on the IoT!

Subject: General Tech | November 21, 2016 - 12:26 PM |
Tagged: iot, security

Hack a Day takes you on a bit of a trip through memory lane to demonstrate how current programmers can have a major influence on the standards that the Internet of Things will eventually adopt.  If you remember X.25's loss to TCP/IP thanks to the volume of adoption the latter had, or mourn the loss of SOAP's XML based transmission to JSON then you have an idea what they are discussing.  

If a large enough group of programmers choose a particular communications protocol or software library to design connected household appliances, manufacturers will find it easier and more economical to base their products on the skills of the programmers who work for them.  Any security and performance enhancements that come about because of this would be an added benefit to the company and of great value to the end users.  Pick up that keyboard and see if you can't turn the tide and plug up the I/O ports of the death toaster.

internet-of-things-toaster-thumb-1.jpg

"In the long term however it’s unlikely we’re going to let one company become the backhaul for consumer Internet of Things traffic. It’s unlikely that there will be one platform to rule them all. I don’t think it’s going to be long till IFTTT starts to see some complaints about that, and inevitably clones."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Weird, the cell signal is really strong over by the printer

Subject: General Tech | November 3, 2016 - 12:51 PM |
Tagged: security

Just how easy is it to intercept your cellphone signals, be it texting or calling?  Julian Oliver showed off the simplicity of it by adding a GSM base station to the internals of an HP printer and thanks to its proximity to your phone it easily overpowers the signal sent by your providers cell tower.  It can text and call you or intercept anything sent from your phone once your device connects, showing just how easily unencrypted cell signals can be monitored.  This particular project is for an art show with warnings displayed for attendees, as this is to highlight the simplicity of eavesdropping as opposed to the nefarious purposes it could easily server.  Drop by Ars Technica for more detail, including the code he used.

si-5.jpg

"Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

ARM plans to mbed itself into the IoT, for better or worse

Subject: General Tech | October 26, 2016 - 01:08 PM |
Tagged: arm, Mbed OS, iot, security

Is a single point of failure more or less secure than multiple points?  That is the question IoT designers should make when considering ARM's new mbed OS, designed to rein in the fiasco which is the current state of security in the IoT market.  On the one hand this OS will run on just about any device you could want, even if you prefer your device remain on MIPS, Linux or another OS and regardless of your back end provider.  It will allow encrypted updates to be pushed out to devices software or firmware from a single source and the companies which use it will be charge on a pay per use scheme as opposed to a fixed cost.

On the sinister hand, this means that when someone manages to exploit an unforeseen vulnerability in mbed, the communications between ARM and the devices or the factory set private keys, they will be able to own every single mbed device out there.  That is unfortunately merely a matter of time and so we wait to hear from ARM as to how they plan to partition the devices which use mbed and other measures they will develop to prevent a worse DDoS than the Dyn DNS attack last week.  You can take a deeper look at mbed's structure as well as ARM's new Cortex-M33 and Cortex-M23 microcontrollers over at The Register.

index.png

"So ARM has come up with mbed Cloud, a software-as-a-service platform that securely communicates with firmware in devices to install fixes and feature updates. Product makers pay to remotely manage all their sold kit. Crucially, they pay for what they use – whether it's pushing updates, or connecting millions of units, and so on."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Know someone who uses the Johnson & Johnson Animas OneTouch Ping insulin pump?

Subject: General Tech | October 5, 2016 - 12:43 PM |
Tagged: security, hack, iot

The good news about this hack is that you would need good timing and physical proximity to the wireless remote which instructs the pump to administer insulin; the bad news is that this is all that is needed and it could result in the death or hospitalization of the target.  The vulnerability stems from the usual problem, the transmission between the remote and pump is done in the clear letting anyone who is looking retrieve serial numbers and codes.  With that information you can then trigger a dose to be delivered or quite feasibly change the default amount of dosage the pump delivers, as was done previous with a different model.

IoT security as it applies to fridges and toasters is one thing; medical devices quite another.  News of unauthorized access to pacemakers and other drug delivery systems which could result in death is not uncommon, yet companies continue to produce insecure systems.  Adding even simply encryption to transmissions as well as firmware based dosage sizes should be trivial after the release of a product and even easier before it is released.  Keep this in mind when you are seeking medical care, choosing devices which are less likely to kill you because of shoddy security makes sense.  You can pop by Slashdot for links to some stories or wade into the comments if you so desire.

1.1.2.1_Ping.jpg

"Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The toasters are revolting!

Subject: General Tech | September 26, 2016 - 01:01 PM |
Tagged: iot, security, upnp

Over the weekend you might have noticed some issues on your favourite interwebs as there was a rather impressively sized DDOS attack going on.  The attack was a mix of old and new techniques; they leveraged the uPNP protocol which has always been a favourite vector but the equipment hijacked were IoT appliances.  The processing power available in toasters, DVRs and even webcams is now sufficient to be utilized and is generally a damned sight easier to control than even an old unpatched XP machine.  This does not spell the end of the world which will likely be predicted on the cable news networks but does further illustrate the danger in companies producing inherently insecure IoT devices.  If you are not sure what uPNP is, or are aware but do not currently need it, consider disabling it on your router or think about setting up something along the lines of ye olde three router solution

Hack a Day has links to a bit more information on what happened here.

simulant_2.jpg

"Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

To read this story just post your first pet's name and the first address you remember living at in the comments

Subject: General Tech | September 21, 2016 - 01:11 PM |
Tagged: security, idiots

David Hannum underestimated humanity greatly when he claimed a sucker was born every minute, we are now up to one every 15 seconds and accelerating.  Online scammers continue doing what they are doing because it works, even those who should know better regularly share personal details online which make scammers lives much easier.  It is not just those suspicious phone calls, texts or websites; many people's social media feeds are a cornucopia of personal information which allow scammers to profit off of your money.  The problem is only getting worse, in the UK The Register reports that losses in 2015 were £755m, 26% more than 2014.  A quick search reveals that the trend applies to the US as well

You've heard it before and will hear it again, take a second to ask yourself if you really should be sharing what you are about to post before you send it.

18900000_PT_Barnum_Commercial_Image2.jpg

"Between January and June 2016 there were 1,007,094 fraud cases in the UK compared to 660,308 in the first six months of 2015. Each case represents a card or account attacked, not an individual person."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

ARM's new security focused Cortex R-52 for IoT

Subject: General Tech | September 20, 2016 - 01:20 PM |
Tagged: arm, iot, cortex r52, r-52, cortex, security

ARM's new Cortex R-52 replaces the aging R-5 and they report that it will run 14 times faster than the model it replaces.  It is also the first ARMv8-R based product they have released, it supports hypervisor instructions as well as additional unspecified safety features.  They are aiming for medical applications as well as vehicles, markets which are currently plagued by insecure software and hardware.  In many cases the insecurity stems from companies using the default software settings in their products, often due to ignorance as opposed to malice and ARM intends their default settings to be far more secure than current SOCs.  Unfortunately this will not help with those who use default passwords and ports but it is a step in the right direction.  Pop over to The Inquirer for more information.

CortexR Launch Deck-17_575px.png

"The Cortex R-52 has been five years in development and is engineered to meet new safety standards as ARM takes aim at the growing market of large-scale smart devices, such as surgical robots and self-driving cars."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

If you thought IoT security was already bad ...

Subject: General Tech | September 7, 2016 - 12:25 PM |
Tagged: iot, security, ssh, idiots

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates.  Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly.  Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself.  This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network.  As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

289B6CBB00000578-3079152-image-m-10_1431495618447.jpg

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer