Category: Blog

Some Computer Manufacturers Are Disabling Intel Chip Firmware

Intel is catching some flak for releasing CPU technology that’s filled with security flaws. At issue is Intel’s Management Engine (ME), which is designed for Enterprise use and is of no real value on equipment designed for personal or home use.

Although many popular PC and laptop manufacturers, including Acer, Panasonic, Lenovo, Fujitsu, HP and others are selling equipment with Intel ME enabled, so far, three hardware vendors have opted to disable the firmware.

These three vendors are Dell, System76 and a company called Purism. Of particular interest is the fact that Purism opted to disable the Management Engine almost a full month before Intel released any information about the security flaws in their technology. Apparently, someone else found a way to disable Intel ME, and the company decided to use it as a means of improving the privacy protections of its customers.

According to a recent blog post published by Purism:

“Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. The Librem 13 and Librem 15 products can be purchased today and will arrive with the Management Engine disabled by default.”

The equipment manufacturers who are selling their wares with the Intel Management Engine enabled have all promised to patch the security flaws in a future update, but as of right now, none of those manufacturers have provided an ETA for when that might be.

In the meantime, if you’re looking to upgrade your equipment and you don’t want to expose yourself or your organization to unnecessary risk, buying from any of the three vendors mentioned above, Dell, System76 or Purism, is a smart choice. It gives your network security team one less thing to worry about, and that’s always a good thing.

Some Websites Can Force Your Computer To Mine Cryptocurrency

Researchers at Malwarebytes have discovered a new exploit that allows malicious website owners to use your PC to mine various forms of cryptocurrency, even if you exit the browser window the malicious site was displayed on.

The exploit relies on a smart pop-under trick. Code on the website determines your monitor’s resolution and places a ghost browser session sitting behind the clock on the MS Windows task bar, where it continues to mine cryptocurrency, utilizing a portion of your CPU’s power and resources.

The impact on your system’s performance is nominal, so only the most observant users will notice anything amiss.

According to Malwarebytes researcher Jerome Segura, “This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will show the browser’s icon with slight highlighting, indicating that it is still running.”

It’s worth noting that there are a couple of other ways you can determine whether some portion of your system’s resources are being coopted in this manner. Restarting your system will certainly do the trick, and if you have your taskbar set to transparent, you’ll be able to see the pop-under quite clearly. Also, resizing or relocating the task bar will reveal the hidden browser window.

This is but the latest chapter in the ongoing battle between hackers and unscrupulous website owners and the makers of adblocking and other types of security software. In time, ad blocking software will be modified to catch this type of exploit, and in response, the owners of malicious websites will change their approach and find a new way to get around various detection schemes. As ever, while software can certainly help, vigilance remains the best defense.

Watch Out For New Facebook “Trusted Friend” Scam

If you can’t trust your friends, who can you trust?

No one, apparently.

There’s a new scam on Facebook that’s making waves, and it’s one you should be mindful of. You may get an “urgent message” from someone you know, asking for your help in recovering their Facebook account.

This is a tried and true phishing scam, relying on some basic psychology. After all, if you get an earnest sounding message from someone you know explaining that you’re listed as one of their “Trusted Friends” and as such, uniquely positioned to help verify their identity so they can get access to their account back, who wouldn’t instinctively respond? This is exactly what the scammers are hoping for.

The message goes on to explain that they’re sending an unlock code to your email address, and they just want you to reset the password for them.

Unfortunately, the unlock code is nothing of the sort. Instead, it triggers a password reset for your own account. If you click the link and “reset your friend’s password,” then reply back, helpfully telling him or her what the new password is, you’ve inadvertently given your own login information to the hackers. From there, the sky’s the limit.

What makes this latest scam particularly problematic is that so many other web properties allow you to use your Facebook login details to access them, which is a roundabout way of saying that you’re using the same login credentials across multiple websites – one of the most basic and pervasive problems of user security in existence.

There’s no real defense for this other than vigilance, and if you see a message like this, simply ignore it. If your “trusted friend” genuinely needs help regaining control of their account, Facebook has resources to assist.

New “MailSploit” Allows Email Spoofing

Phishing attacks just got a whole lot easier.

A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.”  At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.

The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.

Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.

The email clients vulnerable to this type of attack include:

  • Apple Mail
  • Mail for Windows 10
  • Microsoft Outlook 2016
  • Mozilla Thunderbird
  • Yahoo! Mail
  • AOL Mail

And many others, but Haddouche notes that Gmail is unaffected by the exploit.

There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.

Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.

Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.

Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.

Your IT staff’s job just got a whole lot harder.

Be Careful Of Downloads – Google Play Store Sees Malware Increase

Google’s Play Store is under siege. In recent month, there has been a sharp spike in malware campaigns launched against the store, with a shocking number of poisoned apps slipping past Google’s robust system of checks designed to prevent, or at least minimize such occurrences.

The spike in poisoned apps has been reported by three different security companies: Dr. Web, McAfee and Malwarebytes.

According to the latest McAfee report, 144 Play Store apps have been identified as containing malware. To give you a sense of the scope and scale of the attack, McAfee analyzed a sample of 34 of the malicious apps and found that they had been downloaded between 4.2 million and 17.4 million times.

Of the malware strains found to be present on the Play Store, far and away the most common is Grabos, which is designed to push fake notifications that trick unsuspecting users into installing other apps. Based on the observed behavior, it’s likely that Grabos’ authors generate revenue based on the number of installs achieved. Based on the sheer number of downloads, it’s a model that’s paying handsome dividends for the hackers.

The second most common malware strain identified in the McAfee report is AsiaHitGroup, which utilizes an IP blacklist to specifically target users in Asian countries. This malware was initially found in an app named “QR Code Generator,” and once it infects a user’s machine, it will download a second-stage threat in the form of an SMS Trojan, which auto-subscribes infected users to premium phone numbers using SMS text messages.

Since its initial discovery in QR Code Generator, the AsiaHitGroup malware has been found in a variety of other apps, including alarm clock, photo editor and internet speed test apps.

The security firm Dr. Web found a third distinct malware strain called Android.RemoteCode.106.origin, which was found to be embedded on nine different Play Store apps that had been downloaded between 2.37 million and 11.7 million times.

This campaign opens an “invisible” browser page that shows ads and is the least intrusive of the malware strains found. It’s likely that the hackers controlling this one get paid via ad impressions which are spoofed on the invisible browser window.

In addition to these, ESET has identified a fourth threat, having identified eight different apps that are infected with the MazerBot banking Trojan. This one is potentially the most damaging of the recently identified threats.

Google’s Play Store is clearly a fair bit more dangerous currently than its users are accustomed to. Be very careful when downloading apps until Google can beat back these recent attacks.

Yet Another Credit Card Breach For Hyatt

Hotel giant Hyatt is in the crosshairs again, having suffered its second data breach in two years. Hyatt’s security team recently confirmed the breach as having occurred between March 18 and July 2 of 2017.

While the company has yet to release any information detailing the number of impacted users, simply stating that it was a “small percentage of guests,” we do know that the following information was stolen:

• Credit card numbers
• Cardholder names
• Expiration dates
• And internal verification codes

Of note, no other personal information was obtained, so your name, address, birthdate, etc. remain safe.

It’s also known that the breach impacted 41 of Hyatt’s facilities, spread over 11 countries, including the United States, Brazil, China, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia and South Korea.

Per Chuck Floyd, Hyatt’s President of Operations:

“Based on our investigation, we understand that such unauthorized access to card data was caused by the insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.

We worked quickly with leading third-party cybersecurity experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future.

As a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide.”

Interestingly, this statement is eerily similar to the one he was forced to issue last year after the first of the two data breaches.

While it’s understandable to try and put things in the best possible light after an attack like this, the words begin to ring hollow if the attacks keep happening, and it may be more difficult for Hyatt to regain consumer trust after this second incident.

Files Containing Nearly 1.5 Billion Passwords Leaked On The Internet

Researchers from the security firm 4iQ have made a disturbing discovery on the dark web. A massive repository has been discovered that contains a staggering 1.4 billion usernames and passwords in plain text.

The repository is well organized, with each letter of the alphabet having its own directory to facilitate rapid search, and 4iQ has tested a subset of the data it contains and found an alarming percentage of the usernames and passwords to be viable.

It should be noted that this data isn’t from a new, previously unknown breach, but rather, an aggregation of data stolen from 252 previous breaches. The CTO of 4iQ, Julio Casal, had this to say about the discovery:

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of them have been verified to be true. The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo lists that exposed 797 million records. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The usernames and passwords come from a wide range of sources including Runescape, Minecraft, RedBox, Badoo, Zoosh, Last.FM, YouPorn, Netflix, MySpace, LinkedIn, Pastebin, Bitcoin and many others.

What’s even worse is that as large as this collection is, it’s really just the tip of the spear. A shocking percentage of users have the bad habit of using the same credentials across multiple web properties, so it’s a statistical certainty that many of the passwords contained in this file will allow hackers access to much more than just the web properties the passwords were stolen from.

If you’re not yet in the habit of changing your passwords on a regular basis, you should begin doing so immediately, and if you’re one of the hundreds of millions of people who use the same password on multiple sites, it’s well past time to break that habit.

Android Bug Found In Adaptive Icons

Do you use apps that employ the new “Adaptive Icons” feature introduced in Android Oreo? If so, be aware that there’s a serious flaw in the code that could send your device into an infinite bootloop, leaving you no alternative but to restore the device to factory default settings, which will almost certainly result in at least some lost data.

It’s important to underscore the fact that this bug does not impact Android Oreo at all in its default state. Rather, it can be triggered by apps that use the Adaptive Icons feature.

The bug was discovered by a developer going by the name of Jcbsera, who wrote an app called “Swipe for Facebook.” His app, when installed, creates a conflict by introducing two files with the same file name, which creates a circular reference.

The only way around the problem relies on you having done some serious prep work in advance of installing the app, which includes having USB debugging enabled and uninstalling the app via ADB, a combination of conditions unlikely to be met by many users.

The bug wasn’t picked up on in testing because all testing was conducted on the emulator built into Android Studio, which did not allow the bug to manifest.

Note that if you’ve installed this app, you do not need to launch it in order to send your device into an infinite loop. That happens automatically, once the installation is complete.
Google has been notified, and plans are already in place to patch the issue in the upcoming release of Android Oreo 8.1.

This interesting, but ultimately unnecessary feature has already caused thousands of users to lose data by forcing them to restore to factory defaults. Just be aware of it so that it doesn’t happen to you, and update to version 8.1 as soon as it is available.

New Facebook Messenger App For Kids Raises Privacy Questions

On the surface, the new Facebook For Kids messenger app looks like a solid win that should put the minds of parents all over the world at ease.

The company conducted extensive interviews and assembled a Blue-Ribbon panel of experts to help them craft the new tool, aimed at children ages 6-12. The app itself is user friendly and filled with bright, cheerful primary colors that appeal to kids, but there are problems, or, at the very least, valid concerns.

For one thing, Facebook has made no mention of how it plans to monetize its new app, other than to say that it won’t contain any advertising. It’s not difficult to imagine some possibilities, however and none of them good.

For another, the company essentially used scare tactics to get parents to sign their kids up for the service, saying essentially that kids are going to chat online anyway, and if they don’t use Facebook’s new offering, they are at greater risk of talking to a child predator.

Then, there’s the issue that Facebook requires the child’s full name, and behind the scenes, the app is busily mapping out the child’s social network – who his parents are, the friends of both the children and their parents and so on.

According to the company, it has no plans to turn children’s accounts into full-fledged Facebook profiles, but given the amount of data being collected, it’s not hard to imagine them offering a one-click export function that would turn these accounts into regular Facebook accounts on the day the child turns 13.

What’s most disheartening of all is the fact that the company could have chosen another, far less intrusive route. Rather than requiring the child’s full name and the establishment of a familial relationship, the app could have been nested directly under the parent’s account, with a nickname or even a colorful symbol used to denote the child. This approach would have been far less data intensive and far less intrusive.

How well the new app will be received remains to be seen, much like the long-term consequences of its launch.

Firefox Doubles Its Speed With Latest Release

The new version of Firefox is out, and if you’ve moved away from the browser in recent years, it may be time to give it another look.

Dubbed “Quantum,” Firefox’s latest offering has been completely redesigned, and has a lot to like, not the least of which is its raw speed. This latest version is twice as fast and now handily beats Google Chrome in speed tests, thanks in no small part to its next-gen CSS engine, and the fact that it is the first browser to fully utilize the power of multicore processors.

It also consumes 30 percent less memory and positively sips battery power, making it a great choice for laptop and smartphone users.

In addition to that, the revamped browser offers improved tracker blocking, built-in screenshot functionality and of particular interest, support for WebVR, which enables webmasters to take full advantage of the capabilities offered by virtual reality headsets.

You can get Mozilla’s latest offering from their website right now if you’re a PC user, though you’ll have to wait a bit if you’re on a smartphone. The latest release is scheduled to appear on the Google Play Store in a matter of days, but there is, as yet, no ETA on when it will be appearing in Apple’s App Store.

Speed is life in business, and if you’re looking to squeeze out a bit more efficiency and performance from the machines on your network, the new Firefox browser is definitely worth checking out. It’s only a matter of time before the other major players catch up, but until they do, Firefox’s Quantum browser looks to be the new reigning king of the hill and represents a big win for mobile users, given the power savings on offer. Kudos to Mozilla for an exceptional update!