Tag: General Interest

Sound Waves May Be Used In Future Hard Drive Attacks

Another week, another attack vector, and this one deserves extra points for creativity.

New research has proved the viability of using something as simple and innocuous as sound waves to disrupt the normal functioning of HDDs, which can be used to sabotage a wide range of equipment from Pcs, to CCTV systems, ATMs and more.

Researchers have toyed with, and been aware of the possibility of using sound waves to disrupt the normal functioning of an HDD for more than a decade, but the most recent research conducted by scientists from Princeton and Purdue universities have outlined exactly how such an attack could be carried out.

The attack exploits a peculiar design feature of HDDs. Because they store large amounts of data on small platters, they’re designed to shut down in the presence of excessive vibration to avoid scratching or damaging the platter, and thus, destroying information on the drive.

If a hacker can determine the optimal attack frequency against a given HDD, then he could play a sound aimed at the drive that would cause it to stop functioning. If the sound were played long enough, it would require the system to be manually restarted to get it working again.

As the researchers demonstrated, finding the optimal attack frequency is a trivial enough task, but it should be noted that this is a fairly exotic type of attack, and not likely to see widespread use.

The biggest threat one would potentially face from such an attack would be the disruption of the functioning of security cameras to create a blind spot at a facility, which could then be physically breached. But given that the tones are within the range of human hearing, anyone in the vicinity could come and investigate.

Nonetheless, it’s an intriguing bit of research with potentially damaging implications.

Weird Sounds Coming From Your Speakers? Could Be A Hacker

Have you been hearing strange, otherworldly sounds on your Bose or Sonos speakers? If so, rest assured that your speakers aren’t haunted. They’ve likely been hijacked by hackers.

Researchers at Trend Micro have confirmed that some models (the Sonos Play:1, the Sonos One and the Bose SoundTouch) of both brands of speakers are vulnerable to hacking if the speaker is connected to a misconfigured network.

If the hackers find such a speaker, they can take control of the speaker and direct to play any audio file hosted at a specific URL.

It should be noted that this is an extremely exotic, fairly elaborate hack, and one that’s not likely to gain the hacker much, if anything in the way of useful information about the target network. Overwhelmingly, if and where this hack is seen at all, it will be used to play pranks on the target. About the worst thing that could happen is that the hacker would play a particularly annoying or alarming sound (a woman screaming, glass breaking, a baby crying or similar), which might lead to some sleepless nights or confusion, but not much else.

Even so, it’s worth making note of, because if a hacker is able to take control of a speaker connected to your network, it means that there’s a misconfiguration somewhere that could lead to a more serious hack down the road. If it happens to you, it’s well worth reviewing your network setup and security settings.

A spokesman for Sonos had this to say about the hack: “…looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers.”

Interestingly, this isn’t the first time such a hack has been seen. In 2014, a developer created a hack that went by the name “Ghosty” that did more or less the same thing.

Better Parental Controls Underway For Apple Devices

Recently, a group of investors wrote an open letter to Apple, urging the company to do more in regards to offering better and more robust parental controls on the devices the company makes. Although the group of investors control some $2 billion in Apple stock, this is a drop in the proverbial bucket, given the company’s $900 billion market cap. Nonetheless, the letter seems to have gotten Apple’s attention.

In a statement published in the Wall Street Journal, the company said: “We think deeply about how our products are used and the impact they have on users and the people around them. We take this responsibility very seriously, and we are committed to meeting and exceeding our customers’ expectations, especially when it comes to protecting kids.”

Previously, the company has touted the suite of parental controls it’s had in place on the devices it makes since 2008. For example, every iPhone sold has a settings app with a parental controls section that allows adults to control in-app purchases, install and delete apps, and restrict website access.

Those are all good things, but the group of investors is pushing for more. Although the company has not released any details about their planned enhancements, it does appear that the letter has prompted them to think even more deeply about the matter, and in that same letter, also requested that apple aid research that studies what impacts excessive smartphone use has on mental health.

To their credit, Apple has done more with parental controls than many, if not most other tech companies, and it is very good to see that they’re listening and responding to the concerns of their investors. This kind of responsiveness bodes well, and depending on the particulars of their plan, it could well cause other companies in the industry to attempt to match their moves.

Hard Drives May Double In Speed With New Technology

What’s an HDD manufacturer to do when faced with competition by faster, more efficient SSD drives?

Go big, and go faster. At least that’s the strategy that both Seagate and Western Digital are adopting.

SSDs tend to get prohibitively expensive as their size crosses the 1TB threshold, which creates an opportunity for HDD manufacturers. Seagate is currently selling drives with an impressive 14TB of capacity, and has plans on the drawing board to introduce a 40TB drive by 2023, with Western Digital not far behind, aiming for a 40TB drive by 2025.

That’s impressive, but as Seagate mentioned in a recent blog post:

“Capacity is only half of the solution. If the ability to rapidly access data doesn’t keep pace with all that capacity, the value potential of data is inhibited. Therefore, the advancement of digital storage requires both elements: increased capacity and increased performance.”

In order to address the performance side of the equation, Seagate is experimenting with a new approach called “multi-actuator technology.”

HDDS are based on platters, with an actuator arm on the top and bottom that write to the platters.

Actuators are all aligned and are designed to move in tandem, but at any given moment, only one arm is writing to the disk.

Seagate’s new solution utilizes two sets of actuator arms, each controlled independent of the other. With two heads capable of reading and writing simultaneously, HDD speeds can effectively be doubled.

It’s an idea that has been around for a while, but until recently, thanks to the prohibitive cost of the components, it was simply impractical. With component prices falling, it’s suddenly viable. The combination of massive HDDs and the new technology are making people take a second look at HDD technology.

This is a great advance that breathes new life into HDDs, and is a truly exciting innovation.

Electronic Device Search Rules Better Defined By US Customs

There’s a constant tug of war playing out on the national stage. On one side, privacy advocates are pushing for greater autonomy for end users, and hard limits to the types of searches that law enforcement agencies are allowed to conduct.

On the other side are the government agencies themselves, which often cite national security concerns as the justification for more and easier access to the sensitive data contained on personal devices like laptops and smartphones.

Generally speaking, the privacy advocates lose those battles. This was the case recently, when the CBP (the US Customs and Border Protection agency) published their latest electronic search guidelines. The most significant change is that the new guidelines explicitly define the difference between basic and advanced searches.

CBP agents are authorized to choose any travel, with or without cause or suspicion, for basic searches. Under the clarified rules, a basic search is limited to an examination of data found on the device itself, which is accessible through already installed apps, or through the device’s OS.

Advanced searches may be conducted, but agents must demonstrate that there’s a reasonable suspicion of criminal activity, or that the person carrying the device represents a “national security concern.”

The individual singled out for an advanced search may be permitted to be present while the search is conducted, but are not permitted to view the actual search itself for fear of revealing law enforcement techniques. Of significance, even during the conduct of an advanced search, agents are not permitted to search cloud-based data. They are restricted to data stored on the device itself.

While none of this sounds especially heavy-handed, the biggest complaint privacy advocates have about the updated rules is the fact that border agents can, at their own discretion, still carry out warrantless searches without any judicial oversight whatsoever.

Although this may not impact you directly, it pays to be mindful of the recent changes.

Vulnerabilities Found In Some GPS Services

A duo of researchers stumbled across a series of vulnerabilities in literally hundreds of GPS services that leave sensitive GPS tracking data open to hackers. Dubbed “Trackmageddon” by the researchers, the vulnerabilities span a range of weaknesses that include default or easy-to-guess passwords, IDOR (Insecure Direct Object Reference) issues, insecure API endpoints, and data collection folders that are entirely unsecured.

The reason so many different tracking services are impacted is that most of them rely on the same online software to deliver their services, and that software (believed to be designed by ThinkRace, one of the largest vendors of GPS tracking devices) itself is flawed. As more and more companies license it, the issues spread, exposing the data of an increasing number of customers who are entirely in the dark about how vulnerable their location data is.

The researchers have made attempts to contact the vendors offering GPS tracking services with vulnerabilities, but so far, have met with only limited success. According to their report:

“We tried to give the vendors enough time to fix (also respond for that matter) while we weighed this against the current immediate risk of the users.

We understand that only a vendor fix can remove a user’s location history (and any other stored user data for that matter) from the still affected services, but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices, much higher than the risk of historic data being exposed.”

As to the types of data being exposed, it includes: GPS coordinates, phone numbers, IMEI numbers, device information, and depending on which online service is being used, a hacker could even gain access to audio, video, and photos uploaded by the device being used.

While extremely convenient, these services do carry significant risks. Use them at your own risk.

Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.

Inappropriate Ads Found In Some Game Apps for Kids

Normally, Google’s robust series of checks and audits are pretty good at catching malicious code and preventing it from making its way to the Play Store. Sometimes, however, something slips through anyway despite the company’s best efforts. This latest one is particularly bad.

Researchers from Check Point have identified a new strain of malware called “AdultSwine” lurking in more than sixty gaming apps on the Play Store. Each of these apps has been downloaded between 3 million and 7 million times, which gives us approximately 150 million infected devices.

As the name suggests, the malware primarily displays ads from the web that are of an adult nature, and often overtly pornographic. It also attempts to trick unsuspecting users into installing additional malware that masquerades as “security apps.”

An analysis of the code reveals it to be highly flexible, allowing the authors to easily begin collecting all kinds of information about the owner of any infected device. This makes identity theft a real possibility if the hackers were inclined to do so.

The most disturbing element of all this is that the malware seems heavily focused on apps and games designed for children. So if you’re a parent, it pays to check the apps that are installed on your child’s phone. What seems at first glance to be a harmless game could actually be displaying pornographic advertising while they’re playing.

The Check Point researchers had this to say about the discovery:

“Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept. Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.”

Just to be safe, double check the apps on your child’s phone!

Intel Chips Face Another Possible Vulnerability

Intel’s year isn’t getting off to a very good start. Just after the discovery of a pair of critical vulnerabilities that have been in their chipsets for more than a decade comes the discovery of yet another serious flaw that could impact millions of laptops around the world.

A Finnish data security firm called “F-Secure” just reported an issue with Intel’s Active Management Technology (AMT) that could allow a hacker to completely bypass the machine’s normal login procedure and take control of the target device in under a minute.

AMT is an admin-level feature that allows organizations to control and manage large numbers of PCs and workstations quickly and efficiently via remote. To take advantage of the flaw, a hacker would need physical access to the machine, which is its one saving grace. However, if they have that, they can take complete control even if a BIOS password has been set.

While other research teams have discovered AMT vulnerabilities in the past, this one deserves special attention for three reasons:

  • Once in control, the hacker could gain remote access to whatever network the machine is attached to at some later point.
  • It affects almost all intel laptops, and odds are that if you’re a business owner, there are a number of laptops with Intel chipsets connected to your network
  • It’s an incredibly easy flaw to exploit, requiring no code whatsoever.

F-Security Research Harry Sintonen had this to say about it:

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

It should be noted that this flaw is in no way related to the Spectre and Meltdown vulnerabilities that have been reported on earlier, giving Intel a trio of nasty problems to deal with right at the start of the new year.

Use Of Bots Has Increased Fake Account Creations

The ThreatMetrix Cybercrime Report 2017 is out, and is a troubling read for anyone who has anything to do with data security.  As a fraud prevention company protecting nearly a billion and a half users around the world, they’re uniquely positioned to know, and their insights on the threat landscape is invaluable.

Their main finding is that hackers, scammers and fraudsters are moving away from using stolen debit and credit cards, given that these things have such a short shelf life.  On the face of it, that sounds like it might be a good thing, until you understand what they’re doing instead.

They’re making use of stolen identity data to create bogus accounts, then applying for lines of credit on their own.  Even worse, they’re taking full advantage of automation to speed the process along.  According to the report, the volume of global fraud attacks is up a mind blowing 100 percent in just two years, with 700 million incidents reported in 2017 alone.

Bots are coming to play an increasingly important role in the activity of the fraudsters, too.  Once a new, fraudulent account has been created, it’s handed off to a bot to test it and make sure it’s valid, which increases its value on the Dark Web.

How big of a problem are bots on the web these days?

According to the report, ThreatMetrix blocked 1.5 billion bot attacks last year, with some retailers reporting that more than 90% of their daily traffic is comprised of bots.

At the root, what’s driving this behavior are the increasingly common, large-scale data breaches that put  up to hundreds of millions of data records into the hands of fraudsters.  Until and unless the flow of data can be stopped, we can expect this type of activity to continue to increase.

No matter how you slice it, 2018 is going to be a very interesting and very busy year.