Stalkers can choose to spend $1000 on a mobile ad instead of a private eye

Subject: General Tech | October 18, 2017 - 01:12 PM |
Tagged: security, spooky

Forget big brother tracking you via your phone, anyone with a bone to pick can stalk you via ad supported apps on your phone for around $1000.  Researchers conducted some disturbingly effective experiments where they created a banner which displayed geo-targeted ads and went through the usual process of paying to have it displayed inside an app, in this case Talkatone.  If the app was left open for more than four minutes, or opened twice in that same amount of time, they were able to pinpoint that phones location within 25 feet.  That let them map out a daily route, work and home addresses as well as many of the locations visited by the person bearing the phone.  Read the full article over at Wired and reconsider this the next time you are pondering installing an ad supported app on your phone.

MappingGeotracking.jpg

"They then used that DSP to place a geographic grid of location-targeted ad buys around a three-mile square section of Seattle, which for their tests they set to appear on the popular ad-supported calling and texting app Talkatone."

Here is some more Tech News from around the web:

Tech Talk

Source: Wired

Don't let todays WiFi security Krack drive you into a panic

Subject: General Tech | October 16, 2017 - 02:41 PM |
Tagged: krack, wifi, security

If you are running Windows 7 or a more recent version and applied the patches from last Tuesday then you are essentially immune to KRACK attack, however older Android OS, Chromium, Linux, OpenBSD and Android Wear 2.0 are. There are several attacks that can be carried out via this vulnerability but all rely on modifying the key which connected devices use to protect data transferred over the wireless network.  KRACK replaces that key with one which the attacker has crafted, which allows them to intercept and decrypt packages sent over the wireless network, or to send there own disguised as an authenticated system.  Depending on the security you use and the OS you are on the attacker can carry out a variety of tasks, which Ars Technica describes in full.

If you are running an older Android device, especially one which no longer receives regular updates you should be concerened, Apple will offer a patch soon as will Google; for now if you have an up to date installation of Windows, the risks have been minimized thanks to the recent patches from Microsoft.

478888602.jpg

"While Windows and iOS devices are immune to one flavor of the attack, they are susceptible to others. And all major operating systems are vulnerable to at least one form of the KRACK attack. And in an addendum posted today, the researchers noted that things are worse than they appeared at the time the paper was written."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

Want another reason to dump that HDD? It can be used as a microphone

Subject: General Tech | October 13, 2017 - 01:01 PM |
Tagged: security, paranoia, microphone, hdd, hack

Some of you may remember the days when it was inadvisable to yell at a HDD array, the latency issue has been mostly overcome with the advances in technology over the last decade.  That does not mean it is completely gone, as the read head in a HDD cannot read from a disk that is oscillating due to external input such as sound, and those tiny delays are how this researcher was able to use the HDD as a low quality microphone.  He also found a tone which created even more latency than in that video; enough to have a system drop the disk as bad.  There are links to the research over at Slashdot, including the new improved way to verbally abuse your storage devices.

index.jpg

"It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

ICANN not update the root KSK system on schedule

Subject: General Tech | September 29, 2017 - 12:53 PM |
Tagged: icann, bind, dns, ksk, networking, security

ICANN have had to delay their planned upgrade to the root key signing keys used by DNS thanks to between 5-8% of key validators lacking the new KSK key.  If a validator only possess the 2010 key, they would no longer be able to resolve DNS properly and the vast majority of the internet would disappear for stuck on the old system.  The Register points out that the problem will actually be much larger as ICANN assumed that everyone has updated to the newest version of BIND DNS database, and only scanned those validators using the newest version. 

The reason for the update is to increase the length of the root KSK that DNS depends on, which will greatly increase the security of anyone surfing the net and to help move this forward ICANN will be publishing a list of those out of date validators in the hopes publicity will spur them to upgrade.  As with IPv6, we will wait and see.

dnskeyen.PNG

"A multi-year effort to update the internet's overall security has been put on hold just days before it was due to be introduced, over fears that as many as 60 million people could be forced offline."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Skimmer Scanner, a start to protecting yourself at the pump

Subject: General Tech | September 25, 2017 - 01:12 PM |
Tagged: skimmer scanner, security, bluetooth

If you haven't seen the lengths which scammers will go to when modifying ATMs to steal your bank info you should really take a look at these pictures and get in the habit of yanking on the ATM's fascia and keyboard before using them.  Unfortunately as Hack a Day posted about last week, the bank is not the only place you have to be cautious, paying at the pump can also expose your details.  In this case it is not a fake front which you need to worry about, instead a small PIC microcontroller is attached to the serial connection between card reader and pump computer, so it can read the unencrypted PIN and data and then store the result in an EEPROM device for later collection.  The device often has Bluetooth connectivity so that the scammers don't need to drive right up to the pump frequently.

There is an app you can download that might be able to help stop this, an app on Google Play will detect Bluetooth devices utilizing the standard codes the skimmers use and alert you.  You can then tweet out the location of the compromised pump to alert others, and hopefully letting the station owner and authorities know as well.  The app could be improved with automatic reporting and other tools, so check it out and see if you can help improve it as well as keeping your PIN and account safe when fuelling up. 

Skimmers-Main.jpg

"It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Hack a Day

Texting troubles with 2FA

Subject: General Tech | September 19, 2017 - 02:07 PM |
Tagged: security, sms, 2fa

Two factor authentication is the way to go when dealing with important information online, unfortunately the most common way of enabling 2FA has proven rather vulnerable.  With just your name, surname and phone number an unsavoury type could use a vulnerability on cellular networks to gain access to your accounts.  The example given over at Slashdot is of a Coinbase wallet with 2FA, registered with a Gmail address also protected by 2FA, which the security researchers easily took control of.  Take a look at the article for more details on the SS7 network vulnerabilities this attack exploits as well as better ways of making use of 2FA. 

If you do intend to continue to use SMS as part of your 2FA, at least consider disabling the feature on your phone which allows you to breifly read a text without unlocking your phone.

cell-tower-chemtrails-hendersonville-header11.jpg

"The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Proper per app permissions arriving to Windows 10

Subject: General Tech | September 14, 2017 - 02:40 PM |
Tagged: microsoft, windows 10, security

The new Creators Update for Windows 10 just received a noteworthy upgrade.  Installed applications will now need your agreement to collect and transmit metadata such as your location and other information.  Many of the concerns raised by Windows 10 users focused on the current configuration which defaults to apps being allowed permission to track and send information; it can be turned off by a user but only after the fact.  Now applications will be installed with telemetry disabled by default unless a user agrees to the collection of information during the installation.  There are cases in which it is beneficial to send your usage information, especially Windows error reports, but that was no excuse to enable that ability across the board.  The Inquirer also mentions that the Enterprise version will offer greater control and limit the OS to local notifications of serious issues or updates.

index.png

"Starting with the new Creators Update, you will be required to explicitly give permission for each piece of access and there's even a full privacy statement to wallow through (or more likely ignore, make tea) during install."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

So, about that D‑Link DIR 850L wireless AC1200 you might be using ...

Subject: General Tech | September 13, 2017 - 03:03 PM |
Tagged: DIR 850L wireless AC1200, ac1200, D-Link, router, security

If you have a D-Link DIR 850L wireless router or know anyone that does, you should unplug it without delay.  The Register posted a link to the recently released findings of security researcher Pierre Kim, who originally contacted D-Link in February about the flaws only to see a single patch released since then.  The vulnerabilities are rather severe, ranging from a lack of verification for firmware images, through stored default private keys to an actual buit in backdoor.  The router is not compatible with DD-WRT so you cannot resolve the issue through that method; it should be treated as a brick until D-Link resolves these issues in an update.

DIR850L1664x936FRONT.png

"A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Fool me once, shame on me ... Chrome gives Symantec the cold shoulder

Subject: General Tech | September 12, 2017 - 02:29 PM |
Tagged: chrome, symantec, security

The original issue dates back two years ago, when a serious security issue was discovered effecting all Norton and Symantec products which allowed an attacker to easily infect your Windows kernel without any user interaction.  Following that revelation were a round of firings at Symantec which were intended to reassure customers and security experts which were somewhat successful, until earlier this year.  In January it was discovered that Symantec provided digital certificates to verify the authenticity of several questionable sites, including ones never authorized by ICANN.  This has been enough for Google; Chrome will no longer trust older Symantec certs in version 66 and will not trust any as of version 70.  The Inquirer provides a full timeline here.

1406048971_Symantec-Logo.png

"The decision to remove Symantec certificates came as a result of the discovery of a dodgy certificate in 2015, leading to a fuller investigation that brought forward more issues with security at the beginning of this year."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Your Roomba is spying on you and that fridge sure looks suspicious

Subject: General Tech | July 25, 2017 - 02:54 PM |
Tagged: security, roomba, irobot, greed

It should be obvious to most that the new generation of Roombas builds up and saves a map of your house, that is how it memorizes how to navigate your floors to vacuum them.  One would also think it was obvious that this information should remain private; unfortunately iRobot does not seem to understand this.  They are in discussion with Apple, Amazon and Alphabet to determine a price at which iRobot will sell them the map of the parts of your house which your Roomba has traversed.  This should be somewhat disturbing to Roomba owners and likely very exciting to anyone who likes to wander univited into other people's homes.  The security of the data is not likely to be difficult to overcome for a motivated and skilled individual so keep that in mind if you are shopping for a robot vacuum.  You can pop by The Inquirer to read iRobot chief executive Colin Angle's bizarre response to tweets from concerned customers.

vacuuming-money.jpg

"VACUUM CLEANER COMPANY iRobot, responsible for the 'smart' Roomba vacuum, is considering doing something really dumb - selling user mapping data to companies that would hand over how your house is laid out."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer