Tag: General Interest

Google Cracking Down On 3rd Party Browser Extension Installs

Malicious code can wind up on your PC or phone by any number of roads.  Companies do their best to guard the digital passes, but invariably, things get missed and the hackers find a way in.  It’s a constant battle, and sadly, one that the good guys are losing.

Recently Google has stepped up its efforts, this time by focusing on Chrome browser extensions installed by third parties.  By the end of the year, no extensions will be allowed on Chrome except for those acquired via the Web Store.

James Wagner, Google’s Product Manager for the Extensions Platform, had this to say on the topic:

“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly – and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites.”

It’s a thorny problem, but industry experts broadly agree that Google is taking the right approach here.  Beginning in September, Google plans to disable the “inline installation” feature for all existing extensions.  The user will instead be redirected to the Chrome Web Store where they’ll have the option to install the extension straight from the source.

Then, in December 2018, the company will remove the inline install API from Chrome 71, which should solve the problem decisively.

Of course, hackers being hackers will no doubt find a way around that, but kudos to Google for taking decisive action here.  While browser extensions aren’t a major attack vector, it’s troublesome enough that Google’s attention is most welcome.

It should be noted that one of the indirect benefits of Google’s plan is that it further bolsters the importance of user ratings of extensions.  They’re highly visible on the Web Store, so anyone who’s considering installing something has a good, “at-a-glance” way of telling whether the extension is good or a scam. That’s information they wouldn’t get had the extension been installed inline.

Again, kudos to Google!

Majority Of Web Apps Found To Have Security Vulnerabilities 

How many web apps do you have on your phone?  Probably a ton.  Here’s something you likely didn’t know.  Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report:

  • 44 percent of the apps with vulnerabilities place the user’s personal data at risk
  • 70 percent are prone to leak critical information stored on the device
  • 96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device
  • Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though.  The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline.  Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity.  Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.

Apple Will Officially No Longer Sell Routers

After more than two decades in the business, Apple is officially going to stop selling routers.  The writing has been on the wall for a while now, since the company’s “AirPort” family of products hasn’t received a significant update in more than five years.

When Apple first introduced its AirPort product line, wireless computing was still something of a rarity, and Apple’s offerings were ahead of their time.  In the years between then and now though, the market has changed significantly.  Unfortunately, Apple’s product line never really changed with it.

These days the competition is fierce with industry giants like Google and Linksys both offering great options for power users. With the rise of mesh networks, the AirPort product line has fallen increasingly behind the times.

The company announced that it would sell its existing AirPort product inventory and support its current user base for the time being, but after that, it would quietly fade away.  The company has simply moved on and has redirected its efforts toward other initiatives.

In looking at the broader market, it’s not a huge blow. Of course, if you own and use an AirPort product, now is the time to begin casting about for alternatives.  The clock is ticking, and once Apple sheds its existing inventory, we can expect to get an end of support date from them. This will leave any AirPort products still in operation at that point increasingly vulnerable to a variety of hacks.

Even so, given how ubiquitous wireless networking is these days, and how many powerful options are out there, finding a replacement for your AirPort product shouldn’t present too much of a challenge.  Just make sure your IT staff knows that the end is nigh, so they can get a replacement in place before the clock runs out.

Study Shows People Prefer Alternatives Over Passwords

File this one away under “confirming things we already knew.”  A recent study conducted jointly by Blink and Trusona confirmed that people just don’t like passwords very much.

Their study tracked the login behavior of 148 participants over a three-week period.  Without knowing the true purpose of the study, participants were asked to log into a gift idea generation website at least three times a week.

They were given the option of a “classic” (password-based) login, or an “easy” login option, which utilized alternative forms of authentication.

The results should surprise no one, but here are some of the statistics collected during the course of the experiment:

  • 84 percent of participants utilized the easy login at least once
  • 47 percent of participants utilized the classic login at least once
  • Those who used the easy login had successful logins 78 percent of the time
  • Those who used the classic login had successful logins 56 percent of the time

Per Robert Capps, a VP for NuData Security,

“This report shows that consumers are ready to move beyond passwords and usernames to more secure authentication methodologies.  Using a multilayered authentication framework that combined behavioral analytics with biometrics allows companies to verify users accurately without adding unnecessary friction and detect any unauthorized activity before it enters the environment.

Multilayered solutions that include these technologies analyze hundreds of data points throughout a session and create an evolving profile of a user across the session.  Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to legitimate users, thus creating more convenient experiences for users.”

Clearly, users don’t like passwords.  Unfortunately, there’s currently no technology on the market capable of the feats Mr. Capps describes.  There are several promising models and products in varying stages of development, but sadly we’re still a ways off from realizing a password-free, hyper-secure login paradigm.  That day is no doubt coming though, and not a moment too soon.

Use Caution Traveling, Hackers Now Have Keys To Hotel Rooms

Score one for the good guys, but with hesitation. Unfortunately, in today’s fast-moving digital world, even a victory doesn’t mean the end of a problem.

Recently, a pair of researchers (Tomi Tuominen and Timo Hirvonen of F-Secure) released information about a new hack they had discovered. It takes advantage of a critical security flaw in the magnetic VingCard locking systems used in hotel chains around the world.

This particular system produced by Assa Abloy is deployed in more than 42,000 facilities around the world. So in terms of scope and scale, this flaw impacts literally millions of doors.

The security flaw is about as bad as it gets, too.  The duo found a way that hackers could turn an old, dead RFID key card into a master key that could be used to unlock any VingCard door.  Although the software they used to create the master key card is proprietary, any hacker worth his salt and with a couple hundred dollars to spare for equipment could reproduce the hack on their own, if given time.

Fortunately, long before the pair announced their discovery of the hack, they contacted Assa Abloy privately. They have been working with the company’s R&D department to develop a fix for the security flaw.  That fix has now been deployed, and the researchers stress that so far, there is no evidence that the exploit has ever been used in the wild.

Of course, that doesn’t mean that it couldn’t be used, and just because Assa Abloy has released a fix for the flaw doesn’t mean that everyone will promptly install it. So, the risk is still very real.  If you’re a frequent traveler, take extra precautions and don’t leave your valuables in plain sight in your room.  They may be more vulnerable than you realize.

T-Mobile And Sprint To Merge Companies

The on-again, off-again talks about a merger between T-Mobile and Sprint is definitely back on, with T-Mobile planning to buy Sprint for a staggering $26 billion.

The deal has been in the works since before Trump was elected President. It died quietly when it became clear that the Obama administration would not allow the deal to go forward, due to concerns that it would leave the US with only three telecom providers, which could harm consumers.

The Trump administration has made it clear that they applaud the move.  However, Trump’s Justice Department may be a significant hurdle to clear.  Nonetheless, as things stand now, the deal is steaming ahead and the combined company would have a whopping 127+ million customers, putting it not far behind AT&T’s 141.6 million and Verizon Wireless’ 150.5 million customers. T-Mobile’s CEO John Legere would lead the new, larger company.

John had this to say about the planned merger:

“This combination will create a fierce competitor with the network scale to deliver more for consumers and businesses in the form of lower prices, more innovation, and second-to-none network experience – and do it all so much faster than either company could on its own.”

The underlying argument in favor of the merger is that the US is falling behind in terms of network speed. If there is to be any hope of arriving first at a nationwide 5G network, we need bigger, stronger and more robust competitors.

As history shows us clearly though, the regulators of the previous administration have valid concerns about the monopolization of the industry.  Any time there are fewer competitors on the board, regardless of the industry, consumers invariably get hit with higher prices. There’s no reason to believe this merger will lead to a different outcome.

Regardless, it now appears that the merger is likely to happen.

Vulnerability In Mac OS Went Unnoticed For Years

Researchers at Okta Security have stumbled across something big.  Recently, they discovered a flaw in Apple’s OS that would have allowed hackers to completely undermine Apple’s code signing process.

While at first glance that doesn’t sound so bad, the implications are terrifying.  In a nutshell, code signing uses cryptographic “signatures” to verify and validate code.  If code bears the digital signature, it is considered trusted.  If it’s trusted, then it’s given an automatic free pass, straight into the heart of any system.

Unfortunately, this flaw in Apple’s code signing process dates back more than a decade. It was only recently discovered, and purely by chance at that.

An extensive forensic analysis has turned up no evidence suggesting that this exploit was ever used for nefarious purposes, which is the one silver lining in all of this.

Upon discovering the flaw, Okta personnel reached out to Apple and other vendors who could have been impacted by the flaw, including tech giants like Google, Facebook and also smaller players like VirusTotal, Objective Development, Yelp, and Carbon Black.

Apple moved swiftly and has since fixed the issue, so this one can be considered a bullet dodged.

Josh Pitts, an Okta engineer, sums the issue up:

“Different types of tools and products use code signing to implement actionable security; this includes whitelisting, antivirus, incident response and threat hunting products.  To undermine a code signing implementation for a major OS would break a core security construct that many depend on for day to day security operations.”

A completely fair assessment.  Thankfully (at least in this particular case), although the issue was hiding in plain sight, it does not appear to have been exploited before being fixed.  We won’t always be so lucky.

Healthcare Sector Facing Rise In Ransomware Attacks

The Department of Health and Human services has issued a warning to healthcare providers to be on high alert for the SamSam strain of ransomware, which has been used to attack eight different health care entities so far this year.

SamSam made its first appearance in 2016 and is seeing increasingly widespread use so far this year.  Unfortunately, the healthcare industry is considered by most to be a soft target. On the Dark Web, healthcare data has become more highly sought after than credit card data, which is only going to put more healthcare entities at risk.

The most tragic component of this is that when a hospital’s network goes down, they stand to lose more than just money and control over patient data.  Lives are also at risk.  Although none of the attacks to this point have resulted in patient deaths, it’s statistically inevitable.  As these attacks continue to increase in frequency, scope and scale, sooner or later, someone will die because of them.

According to security experts, the root of the problem lies in the fact that guarding against such attacks is seen as fundamentally an IT issue.  The truth is that it is an organization-wide issue, and should be treated as such, because attacks like these pose an existential threat.  Treating the issue as something for a single department to be responsible for inevitably leads to a lack of funding and an inadequate incident response plan. This leaves most organizations completely unprepared to deal with an attack and its aftermath.

Even more worrisome is the fact that an increasing number of ransomware attacks simply destroy the data.  Sure, the ransom note still gets displayed, but the hackers simply have no intentions of unlocking the files, and they build their software accordingly. Most recently, hackers have taken to corrupting encrypted data files, which can cause lingering problems for months or even years after they’re unlocked.

This problem is only going to get worse until we all start taking data security more seriously.

Facebook Is Adding New Features, Including Dating 

At this year’s F8 Developer’s conference, Facebook announced a raft of changes and updates it will be rolling out later this year.  Some are fun, others practical, but they’re all interesting.  Here are the highlights:

Get Ready for “FaceDate”

This announcement is interesting. Not so much because the idea of using Facebook to meet someone is new, but because of what the announcement did to the stock prices of existing companies.

The new feature will look and feel a bit like Tinder, with a few important caveats:

  • Your FaceDate profile will be separate from your Facebook profile
  • The app will not match you with your existing Facebook friends
  • Your existing friends will not see, or even know about your FaceDate profile (unless you tell them, of course)

Facebook fanatics will no doubt love this feature, but the news caused the stock prices of two online dating companies to fall sharply. These included Match Group (parent company of Match.com) tumbling 22 percent, and IAC (parent company of both Tinder and Match Group) falling 16 percent.

Third Party App Review Starting Up Again

In the wake of the Cambridge Analytica scandal, the company suspended its third-party app review.  That is re-opening starting Tuesday, so by the time you read these words, app review should once again be in full swing.  The major change here is that the company will now require business verification for apps that need access to specialized API’s or extended login permissions.  Apps asking for basic profile information only will not be subject to this new requirement.

Real Time Language Translations In Messenger

A long-anticipated feature addition, the company is taking a cautious approach here.  When the feature is initially rolled out, it will only translate English-Spanish conversations, with additional languages added incrementally.  In addition to the translation feature, the messenger interface will also get some tweaks and improvements.

“Clear History” Feature Being Added

This one is aimed specifically at the lingering privacy concerns Facebook’s CEO was recently grilled about when he appeared before Congress.  In a bid to increase user privacy, Facebook will now allow its users to see the apps and websites that send Facebook information when in use, and allow users to turn off Facebook’s ability to store that data.  It’s a good first step, but it remains to be seen how helpful it will be in terms of increasing user privacy.  There’s no good way to know that until we get the opportunity to see the new feature in action.

All in all though, a productive conference, with a number of interesting changes ahead.

New SSD Drive Can Hold 8TB of Storage

Good news for the business world in general, and the owners of data centers, in particular.

Mass storage is about to get vastly more efficient thanks to Samsung’s recently launched solid state drive, which manages to pack an impressive 8TB of storage into a delightfully small footprint, measuring just 11cm x 3.05cm.

Not only do the new drives deliver twice the storage capacity of the SSDs used in high-end servers and slim line laptops, but it also has an impressive read speed of 3100 MB/s, and write speeds of 2000 MB/s. The read speed of the new drive is five times faster than the speeds you typically get from SATA SSDs, and the write speeds are three times faster.

When hyper-scaled, that means that enterprise server system could perform more than a million IOPS in a 2U rack space, and that translates into a significant ROI for large-scale data centers.

It gets even better. Samsung is planning to release a 512 gigabit version of its 3-bit V-NAND SSD later this year, which will allow significant improvements in processing speeds for big data applications.

What we’re talking about here, ultimately, is storage and processing density. The new SSD is built with 16 512GB NAND package, stacked in sixteen layers of 256 gigabit 3-bit V-NAND chips that were specifically engineered with massive SSDs in mind.

This allows data centers to triple total system density in the same footprint, and allows for a mind-boggling 576 terabytes of storage in 2U rack servers.

This is paradigm shifting and will make cloud-based service providers even more attractive. The most successful of these already have hyper-scale data centers in place, already have a wealth of experience when it comes to handling Very Large Data sets and experience dealing with applications designed to sift through those mountains of data. Enterprise users, rejoice!