Tag: Recent News

Windows 10 Privacy Becoming More Transparent In Next Version

All companies collect data on their customers, but some are better than others when it comes to being upfront about what kinds of data are collected.  Over the past year, Microsoft has made many moves that have been well-received by their enormous user base.  They’ve become increasingly transparent and offer an unprecedented level of control to the users themselves.

Last year, the company took its first major step, adding a pre-installation/pre-update Privacy Setting screen that allowed users to choose between two settings, Basic or Full, where global data collection was concerned.

Not long after, the company also added a Privacy section to the web dashboard of every Microsoft account, which allowed users to do things like:

  • Exporting any of the data found on the dashboard
  • Deleting specific items to allow for more individualized control
  • Viewing and managing media consumption data, along with product and service activity

The most recent addition is the release of an app called “Windows Diagnostic Data Viewer,” currently available on the Windows Store.  Right now, the app is available only to Windows Insiders, but is slated for release to the general public in April or May of this year.

As the name of the app suggests, it will not allow users to delete or manipulate any of the data collected, but it will provide an in-depth view of what data is collected. This would, at the very least, give system administrators the option to explore methods of disabling selected features in a bid to mitigate data collection.

Although the company is providing more options and becoming increasingly transparent, it has no plans to stop collecting telemetry data, insisting that it is essential in terms of making incremental product improvements and rapidly solving bug reports.  Like it or not, data collection is here to stay.

iPhone Throttling Issue To Be Addressed In Upcoming Update

Recently, Apple found itself in hot water with its normally adoring user base. This happened when it became known that the company was intentionally throttling (slowing down) the speed of older iPhones.

The company’s intentions were good.  They clearly meant well.  The move was designed to even out performance in older equipment.  As cellphone batteries age, they tend to lose charge more quickly.  What was happening was that people with older equipment would drop from 20% battery to 0% in the blink of an eye, causing their old phones to simply shut down at inopportune moments.  Apple’s strategy was simply designed to help keep that from happening.

Well-intentioned or not, the company didn’t formally announce the change, and it was discovered by chance by security researchers.  Needless to say, the legions of people who still use older iPhones were not amused and the company has faced backlash from an angry user base since.

Apparently, the backlash got bad enough that they listened.  Apple just announced that as of the next OS update, version 11.3, the OS will include a toggle switch that will allow users to choose whether or not to throttle their  phones to extend battery life.

This is the latest in a series of moves the company has made to get back in the good graces of its users.  Previous efforts have included a public apology and an offer to reduce its fee for battery replacement to just $29.

This has been a PR disaster for the company.  It probably won’t hurt their bottom line much, but perception matters. While the company has been trying bravely to save face, the simple truth is that this was a self-inflicted and avoidable wound.

There’s a lesson here for businesses of all shapes and sizes.  Transparency matters, and if you’re going to do something that directly impacts large segments of your user base, be upfront about it and give them a viable choice.

Fitness Trackers Could Be A National Security Risk

If ever there were two phrases that didn’t seem to go together, they would probably be “Fitness trackers” and “National Security Risk.”  The very idea that a simple fitness tracker could pose such a risk seems laughable on the surface, but this is no laughing matter.

Recently, a popular fitness tracking app called “Strava” published a heat map, which displayed the activity of its massive user base from around the world.  In all, the heat map contained more than a billion activities, tracking every jog, bike ride, walk, swim, downhill, and other activity that users opted to log.

Unfortunately, this app is a favorite of military personnel, and when the heat map was published, researchers made a disturbing discovery.  In logging their physical activity, military personnel gave away the locations of their (sometimes secret) bases.

Although the data was stripped of personally identifying markers before being loaded onto the map, other researchers have been able to de-anonymize the data, tying individual activity routes to specific people.

From a national security standpoint, this is disturbing on two levels.  First, of course, is the fact that the locations of supposedly top-secret bases could be discovered so easily, and by something as innocuous as a fitness app.

Second,  and every bit as disturbing, is the fact that since it has been demonstrated that the data can be de-anonymized. This means that enemies of any existing government  can accurately locate key personnel.  Armed with an activity map that establishes a “reliable pattern of life,” it can use that data to plan carefully orchestrated attacks against specific individuals.

Needless to say, the presence of apps that know so much about us and our precise whereabouts is going to require a total rethink by government agencies around the world.  One has to wonder, how many other unintentional side effects will we see in the months and years to come?

If your Point Of Sale Uses Oracle, Update Now

Oracle is currently the third-largest provider of POS (Point of Sale) software on the market today, which means that there’s a fairly good chance you’re using an Oracle POS system.  If you are, there’s trouble ahead.  A recently discovered security flaw could put your system at risk.

Oracle has already identified and patched the security flaw, but there’s a problem.  Since POS systems are deemed “mission critical” by most businesses, System Administrators rarely schedule maintenance for them on fears that an unstable patch or update could cause undue downtime for the company.  Because of that, it will likely be a month or more before the new update finds its way to all 300,000 of the at-risk systems.

As security flaws go, this one is fairly nasty, too, as it allows a hacker to collect configuration files from any vulnerable Micros POS system.  This data can then be used to grant the hacker full, unrestricted access to the POS system,  as well as the database and server it feeds information to.

Most hackers attacking a POS would be content with simply collecting credit card details for resale on the Dark Web However, with this exploit, any sort of malware could be installed to use against the company later.

Even worse, a hacker need not be in close proximity to the device in question.  A carefully crafted HTTP request could trigger the security flaw and open the door.  Of course, if a hacker is in close proximity to the system, then there are many easier ways to infect it.  One only needs to distract the sales clerk long enough to attach a simple Raspberry Pi board equipped to run the exploit code and the damage is done.

The bottom line is, if you use an Oracle POS, make installing the latest security patch a priority.  You’ll be vulnerable until you do.

Malware Makers Testing Vulnerability Of Meltdown And Spectre

Security researchers from around the web are reporting finding an increasing number of instances of proof of concept (PoC) code that incorporates the recently discovered Spectre and Meltdown vulnerabilities.

If you somehow missed those earlier reports, Spectre and Meltdown are a pair of critical security flaws recently discovered in literally every Intel chip set made over the last decade.  Exploiting these vulnerabilities would give a hacker root-level access to the impacted system.

Since the discovery, the chip giant has been scrambling to fix the issue. However, their first attempt to do so caused so many system problems for people who installed the patch that the company is now recommending that users avoid it until they can come up with a better solution.

Unfortunately, that leaves you between the proverbial rock and a hard place.  Installing the patch will protect you, but cause you to experience system reboots several times a day and seriously degraded performance.  Not installing it leaves you at the mercy of the hackers.

So far, at least, it appears that most of the proof of concept code found is the result of security researchers playing with the exploits.  This includes testing them, seeing how they work, and how to prevent them.  That said, the researchers point out that it’s all but certain that some of the PoC examples were created by teams of hackers who plan to use them in their next round of attacks.

To make matters worse, Mozilla has confirmed that the Spectre flaw can be executed remotely by inserting commands into Javascript.  Given that, plus the increased appearance of PoC code fragments, it seems it’s just a matter of time before we see the first ever Spectre-based hack.  The clock is ticking.

Microsoft is Adding Much Needed Feature To Windows Defender

Microsoft is getting tough on so-called “registry cleaners”, and it’s about time.  The company recently announced a planned change to Windows Defender (the anti-malware program that comes standard with every Windows installation).  The change will see to the deletion of an increasing number of these registry cleaners.  It’s a great move, and the company deserves credit for it, but there’s a catch.  This type of software has been around for decades. So the move, as welcome as it is, comes very late in the game.

It’s overwhelmingly likely that you’ve seen these programs in action.  They’re usually free downloads (though there are a few web based services too) that scan your system to find problems with your registry that the software claims are causing performance issues and slowing your machine down.

There are two major problems with this:  First, the software tends to be light on details, refusing to provide much information about exactly why the “problems” that have been identified are impacting system performance.  Worse, the software often incorrectly identifies critical system files and registry entries as being problematic. So of course, when they are deleted, they actually create many more problems than they solve.

Second, in order to actually fix the problems that have been identified, you’ve got to buy the premium version of the package.  The result is that you’re losing money, and the software often breaks your system.  Not a pretty picture.

This latest move by Microsoft builds on action they took back in 2016, when the company started penalizing the makers of such registry cleaners if their software didn’t provide adequate information. This missing information included why the problems they found needed to be fixed in the first place, and if they utilized a high pressure up-sell technique.

Ultimately, those moves proved to be insufficient, so Microsoft decided to take things to the next level.  Now, they’re simply going to start deleting these no- or low-value programs.  Late or not, that’s one less headache for you, and a very good thing.

Almost Half Of Top Ranking Websites Are Vulnerable

Menlo Security just released their third annual “State of the Web” report and it’s not pretty.  The headline finding is that 42% of the top 100,000 sites as ranked by Alexa are more dangerous than you think.

The report defines a risky site as one that meets one of three criteria:

  • The site, or one of its associated background sites (from which news articles or video is pulled), is running software with a known security vulnerability
  • The site has been used to launch attacks or distribute malware
  • The site has suffered a security breach in the past twelve months

This first point is key, and often overlooked by security professionals.  Any time your website is pulling content from another source, it creates an opening that a hacker could potentially exploit.  Worse, most security professionals lack the tools to properly monitor those connections.

As bad as that sounds, there’s an even worse detail lurking in the pages of the report, and that concerns emails.

Hackers are increasingly moving away from setting up their own domains.  Instead, they’re preferring to create a subdomain of a compromised, legitimate domain, which makes it harder to spot.  Amir Ben-Efraim, the CEO of Menlo Security, had this to say about the issue:

“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms.  Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites.

Also, hosting services typically allow customers to set up multiple subdomains.  For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”

The bottom line is:  The web and even the most popular sites on it, aren’t nearly as safe as you think.

Vulnerability Found In Popular Grammar Checker

On February 2, Tavis Ormandy, a researcher on Google’s Project Zero team discovered a critical flaw in the popular online grammar checking app, “Grammarly.”  Tens of millions of users make regular use of the app to improve the quality of their writing.  The bug allowed a hacker to steal a Grammarly user’s authentication token and use that token to log on and access every document they’ve run through the Grammarly system. This along with that user’s history, logs and other data. They were able to do it all using just four lines of JavaScript code.

The bug was found in both the Firefox and Chrome Grammarly extensions and was reported immediately.

While response time to such a report varies greatly, Grammarly set a new record for speed and efficiency.  The bug was reported on a Friday, and by Monday, it was patched.  If you use either the Chrome or the Firefox Grammarly extension, there’s nothing for you to do, as these should update automatically.

A spokesman for Grammarly had this to say about the matter:

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery.  At this time, Grammarly has no evidence that any user information was compromised by this issue.

We’re continuing to monitor actively for any unusual activity.  The security issue potentially affected text saved in the Grammarly Editor.  This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.  The bug is fixed, and there is no action required by Grammarly users.”

Kudos to Tavis Ormandy for finding the bug, and a hearty round of applause to Grammarly for their speedy and deft handling of the issue.  Given the severity of the bug, it’s easy to see how such a discovery could have gone an entirely different direction. As it turns out, Grammarly set a new bar for excellence with their handling of the issue.

Some Smartwatches May Be Able To Diagnose Diabetes

That smartwatch you’re wearing might save your life.  Literally.

A new study conducted by the University of California San Francisco, and a healthcare startup called Cardiogram revealed that smartwatches and other wearables were able to detect diabetes in previously diagnosed patients an impressive 85 percent of the time.

The study monitored health statistics of more than 14,000 smartwatch wearers (both Android and Apple) over the course of several months.  All health data that was collected was fed into a deep neural network which compared the collected data to samples taken from people both with, and without diabetes.

Obviously, while 85 percent is good, it falls short of greatness.  Then again, the AI routine (dubbed “DeepHeart”) is still in its infancy and is all but certain to continue improving over time.

That’s important, given how many people in America have diabetes.  It is estimated that there are more than 100 million Americans who either have the disease or who are prediabetic, and many of these haven’t been diagnosed yet.

Given these results, and in a bid to further improve DeepHeart’s accuracy, the company plans to incorporate the AI into the next update of its app on both iOS and Android platforms.

All that to say, if you currently have and wear a smartwatch or other wearable, it may help you in ways you can’t even begin to imagine.  This is the bleeding edge of a segment of the market that is only just beginning to emerge.  At this point, it’s so new that it would be difficult even to say it’s in its infancy.  Although we can’t know for certain what new revelations and advances wearable technology will bring to the medical field, based on what we’ve seen so far, we can say there will be a bunch of them, and they’ll all be exciting.

If you’ve been considering getting one but haven’t yet, this is a pretty solid reason to do so.

Smart TV’s May Be Tracking You And Vulnerable To Hacks

Do you own a smart TV?  More than half of all television sales in the US last year were smart TVs, so chances are decent that you own one.  If you do, be aware that it may be collecting far more data about you than you think.

Recall that last year, Samsung, (one of the top smart TV manufacturers) found itself in hot water when it was revealed that the TV could listen in on conversations, record them (for better voice recognition) and save them on a Samsung server.

Those issues still persist to varying degrees, but a recent Consumer Reports study underscores something most people in the tech business have known all along.  Smart devices really aren’t all that smart, at least when it comes to security.

The Consumer Reports study concluded that most smart TVs and associated technologies like the Roku have only the most rudimentary of security features and can easily be hacked, giving the hackers total control of your TV. This includes the ability to turn it off, on, change the channel, and monitor your viewing habits.  Given that, these TVs can also be voice-controlled. Once a hacker is in control of your set, he could monitor any conversations that take place near it without your knowledge.

In addition, the most recent smart TVs come with a feature called Content Recognition.  For example, if you watch the latest episode of the Walking Dead (whether on AMC or Amazon Prime or some other streaming service), the next time you pull up a web page on your PC or smart phone, you’ll start seeing advertising related to the Walking Dead.

This, of course, gives any would-be hacker a much deeper view into your viewing habits and history.

The upside is that most of these features can be deactivated if you have the patience to sift through the television’s menu system. Of course, if you do that, then it’s no longer a smart TV, and thus, not worth the extra money you spent on it.

As ever, the bottom line is this:  These kinds of risks aren’t going to go away on their own.  Until and unless smart device makers start taking security more seriously, we’re going to keep hearing about potential or actual abuses.