Tag: Recent News

Sim Cards Can Now Be Built Into Processors

SIM cards have long been a source of frustration for equipment manufacturers.  With the relentless drive to produce smaller and smaller devices, the SIM card is a hurdle to be overcome.  It’s relatively large, and when you account for the necessary housing, it becomes quite the design challenge.

That challenge seems to have been met, however.  ARM, a prominent chip design firm, has recently announced the development of the iSIM.  The iSIM is built into the processor, and according to the company, only takes up a fraction of a millimeter squared.  To put that figure into context, today’s SIM cards measure 12.3 x 8.8mm, so ARM’s new design represents significant space savings indeed.

There’s a catch, though.  Although the new design is ready, and is already in the hands of ARM’s business partners for evaluation, there’s no guarantee that cell phone providers will accept the new technology and incorporate them into the next generation of phones.

ARM doesn’t think this will be an issue, although phones weren’t at the forefront of the company’s mind when they developed the iSIM.  Their main goal was to build the integrated SIMs to help power the next generation of tiny IoT devices, but this, ARM contends, is the very reason why phone carriers will welcome the new technology with open arms.  After all, more devices connected to their respective networks means more opportunities to profit.

In any case, time will tell the tale.  ARM is expecting that their business partners will readily embrace the new technology, and we should begin seeing products on the market utilizing the iSIM by the end of this year.  This will be a fascinating innovation to watch. If it succeeds the way ARM hopes,, it will lead to the creation of a whole new generation of even smaller devices.

5G Cellular Service Is Beginning To Roll Out

AT&T has big plans for their future and yours.  If they’re your carrier of choice, and if you live in the cities of Dallas, Atlanta, or Waco, then you stand to be on the cutting edge of the changes the company has in store. Those locations have been selected to be the first to receive AT&T’s 5G network upgrade.

Often, whenever a new technology is touted, you hear the phrase “this changes everything” associated with it. However, after listening to an AT&T spokesman talk at length about the capabilities of the new 5G network, the phrase is much more than just hot air and wishful thinking.  From the sounds of it, it really does change everything.

Here’s what a company official had to say on the matter:

“We are working with our vendors on an aggressive schedule to help ensure customers can enjoy 5G when we launch the network this year.  We will add more 5G-capable mobile devices and smartphones in early 2019 and beyond.

After significantly contributing to the first phase of 5G standards, conducting multi-city trials, and literally transforming our network for the future, we’re planning to be the first carrier to deliver standards-based mobile 5G–and do it much sooner than most people thought possible.

What this means for our customers in these cities is that they will be the very first to access this next generation of wireless services.  The experience we’ve gained by leading the industry transformation to network virtualization and software control will help our customers to get the most out of 5G.  Ultimately, this means new experiences with augmented reality and virtual reality (AR/VR), future autonomous cars and delivery drones.

In order for these new experiences to become reality, you need mobile 5G powered by SDN and edge computing.  We’re making the cloud smarter, faster, and local.”

By all accounts, there are exciting times ahead.  If you’ve been thinking about switching to AT&T, this might be a good reason to do so.

Google Calls Out Microsoft For Security Issue

Depending on who you ask, Google’s Project Zero is either the thing that’s going to singlehandedly save the internet, or the bane of many companies’ existence.  It’s easy to see both sides of the argument.

On one hand, by uncovering previously undiscovered bugs in all manner of software and handing that information over to the authors, Google is undeniably performing a valued public service.  The problem has never been with the “carrot” side of the equation, always with the stick.

The stick is this:  Google gives each company 90 days in which to address the bug.  If they take no action during that time, then Google will announce the existence of the bug to the world, which of course, means that hackers everywhere immediately have access to a new exploit.

This approach often accomplishes what contacting the vendor privately does not.  Once the bug becomes common knowledge, the company in question is essentially forced to fix the problem, thus making the internet safer.

It should be noted that Google does allow exemptions to the 90-day rule.  If a company is hard at work on a fix and needs more time, Google has been known to delay their announcement.  In a similar vein, if a bug is simply catastrophic in scope and scale, the company has been known to make the announcement to help deploy resources of multiple companies toward addressing the issue.

More than 90 days ago, the Project Zero team discovered a pair of security flaws in Microsoft products.  One in their Edge browser, and the other in the Windows 10 OS.  One of the two got fixed.  The other did not, and Google called them out for it.

Needless to say, Microsoft is not pleased, and they have hit Google back for such behavior in the past. They scored a PR victory last year when Microsoft engineers discovered a flaw in Google’s Chrome browser, and contacted the company privately so they could fix the issue and then bragged about their more responsible approach after the fact.

It will be interesting to see what Microsoft does in this instance.

RottenSys Malware Has Infected 5M Android Devices Since 2016

There’s a new threat on the horizon, according to security researchers from Check Point.  A group of hackers in China are busy building a massive botnet that so far, totals almost five million Android smartphones.  The hackers are quietly taking control of these devices using a strain of malware known as “RottenSys.”

While the malware is flexible and can be adapted to any number of purposes, in its present incarnation, it’s being used to display copious numbers of advertisements. This generates a healthy revenue stream for the hackers, but that could be just the beginning.  The researchers have found evidence that the hackers are gearing up for a campaign that could be much more far-reaching and damaging.  According to Check Point: “This botnet will have extensive capabilities, including silently installing additional apps and UI automation.”

RottenSys is fairly new to the malware ecosystem, first appearing in September 2016. So far, the hackers have spent most of their time simply spreading their creation to more devices.  At current count, the number of infected Android phones stands at 4,964,460, and it grows by the day.

It wasn’t until last month that RottenSys got an update that gave its owners the ability to take direct control of all the devices.  Prior to that, they were happy to simply rake in ad revenue, which is estimated to exceed $350,000 a month.

Currently, the malware hasn’t spread beyond the confines of China, but that could easily change as the hackers seek to add an increasing number of devices to their already massive botnet.

What makes RottenSys notable is the fact that it has managed to spread to so many devices in such a short period of time.  As it turns out, the secret to the hackers’ success has to do with the code it’s built around, which includes both “Small”, (an open source virtualization framework) and “MarsDaemon”, which is a library that keeps apps “undead,” which ensures that the malware’s processes continue to operate even after users close them. This ensures that the ad-injection capacity cannot be disabled.

Only time will tell what the hackers have planned, but it can’t be anything good. They’ll have a formidable botnet to do damage with. Stay tuned.

Remote Desktop Flaw Affects Every Windows Version

Researchers at Preempt Security recently discovered a critical flaw in Microsoft’s Credential Security Support Provider protocol (CredSSP for short) that impacts every version of Windows in existence. It could allow a hacker to remotely exploit Windows Remote Desktop to execute malicious code and steal any data stored on the machine.

The flaw, logged as CVE-2018-0886 would allow a hacker to execute a man in the middle attack, (provided that they had Wi-Fi or physical access to the machine) and steal authentication data via a Remote Procedure Call attack.

Yaron Zinar, a lead researcher at Preempt, had this to say about the flaw:

“An attacker which has stolen a session from a user with sufficient privileges could run different commands with local admin privileges.  This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.  This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

This is a big deal because Windows Desktop is hands-down the most popular means of performing remote logins. In addition, business of all shapes and sizes make regular use of RDP for a variety of purposes, making them vulnerable until the flaw is patched.

Microsoft released a fix for the issue as part of their March 2018 Patch Tuesday, but security professionals close to the issue warned that simply applying the patch is not enough to provide protection.  You’ll also need to instruct your staff to make a few configuration changes (explained in the documentation surrounding the issue), including limiting your use of privileged accounts as much as possible and use non-privileged accounts whenever possible.

The March 2018 patch release was a hefty one, and included patches for a number of products including Core ChakraCore, PowerShell, Microsoft Office, Windows (OS), and both the Edge browser and Internet Explorer.

Another Google Service Is Going Away

If you are a fan of, and regularly use Goo.gl (the URL shortener service), brace for impact.  The company has announced that as of March 30, 2019, the service will be shut down for good.  Long before then, beginning April 18th of this year, only existing users will be able to shorten links via goo.gl.  No new signups will be allowed.

The company had this to say about the recent announcement:

“The URL Shortener has been a great tool that we’ve been proud to have built.  As we look towards the future, we’re excited about the possibilities of Firebase Dynamic Links, particularly when it comes to dynamic platform detection and links that survive the app installation process….FDLs are smart URLs that allow you to send existing and potential users to any location within an iOS, Android or web app.”

Fortunately, we’re not actually losing a service as much as we’re seeing one swapped out for something better and arguably next generation.  It is worth mentioning that Google does not have any plans to auto-migrate goo.gl links to Firebase Dynamic Links.  If you opt to use the new system, you’ll have to export your short links and then import them manually into Firebase.

Given this, it’s expected that at least some percentage of goo.gl users will simply opt to shift to other URL shortening services such as Bit.ly or Ow.ly.

Although Google is not ending support for the service to make life more difficult for hackers and spammers, that’s one of the unintended consequences of the move. Both spammers and malware authors regularly make use of goo.gl.  Sadly, legions of Marketing departments and other legitimate users do too, and many aren’t thrilled that although Google is offering an ostensibly better and more robust alternative, they’re not offering any means of auto-migration to the new platform.

MyFitnessPal User Information Data Breach Affects 150 Million

Another week, another high-profile data breach.  This time, it’s Under Armour in the hot seat.  Under Armour acquired the MyFitnessPal app back in February 2015, and the company recently announced that their new acquisition was hacked in late February 2018.

So far, the company is taking all steps we’ve come to see as usual in these circumstances.  They’ve notified their user base about the scope and scale of the attack, which impacted a hefty 150 million users.  In conjunction with the announcement of the event itself, they assured their users that the theft of data was limited to user names, email addresses and encrypted passwords.

Although the stolen passwords are encrypted with bcrypt (which is a highly secure solution), the company is still recommending that all of the app’s users change their passwords immediately, just to be safe.  Under Armour also assures its MyFitnessPal users that no credit card information was exposed.

In a departure from the routine we’ve come to expect in situations like these, the company is also warning users to be aware that since their emails were stolen, they may be subject to phishing scams in an attempt to get more of their personal information.

That announcement, in part, reads as follows:

“Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data.  If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal and may be an attempt to steal your personal data.  Avoid clicking on links or downloading attachments from such suspicious emails.”

While Under Armour’s handling of the incident has been solid so far, one has to wonder how many more of these incidents we’ll see before companies start taking data security more seriously.

Huge Spike in Malware With Mining Capabilities

There’s a new type of hacking attack to be concerned with, and it’s growing by leaps and bounds.  Called “Crypto-Jacking,” it’s a process by which malicious code is placed on websites. When the sites are visited, the code secretly siphons off a portion of the affected user’s PC, laptop, or smartphone’s processing power and uses it to mine for various cryptocurrencies  so that the hackers can profit from it.

Kevin Haley, the Director of Symantec’s Security Response Team, had this to say about the issue:

“Cryptojacking just came out of nowhere.  I think what we’re going to learn in the year to come is when people see the opportunity to take money, they’re going to come up with some really wild ways to do that.”

Based on the statistics the company has been collecting, cryptojacking increased a whopping 8500 percent in the fourth quarter of 2017 alone. As the prices of various cryptocurrencies continue to rise, we can expect to see even more of this because it provides the hackers with a hands-free method of gaining tremendous profits with almost no risk or exposure.

Mike Fey, the President and COO of Symantec adds, “Cryptojacking is a rising threat to cyber and personal security.  The massive profit incentive puts people, devices and organizations at risk of unauthorized coin miners siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers.”

Perhaps the most insidious aspect of this new attack vector is how easy it is to pull off.  Even a low-skill hacker with a very limited toolset can manage to insert the handful of lines of code needed to begin siphoning resources.

Unlike most other forms of attack, however, no company data is directly at risk.  What you can expect to see though, are serious performance hit as more of your equipment becomes infected.  It’s not a happy situation given the importance of speed in today’s fast-paced business environment.

Having Chrome Issues Since The Latest Windows 10 Update?

Microsoft has been having some “issues” of late.  It’s April Windows 10 rollout had to be delayed on account of some mysterious BSOD (“Blue Screen of Death”) issues. This month’s rollout is plagued by similar problems, trading the BSOD issues for problems with both “Hey Cortana” and Google’s Chrome browser.

The problem is that when you try to navigate the web using Chrome with the latest Windows 10 update, the entire system will inexplicably hang.  The company is hoping to have a fix ready for release in time for the next “Patch Tuesday” on May 8, but in the meantime, offered the following suggestions to users who are impacted by this issue:

  • If you’re on a laptop, sometimes (but not always) opening and closing the lid will revive the system.
  • Failing that, or if you’re not on a laptop, try using the keyboard combination: Win + Ctrl + Shift + B. This activates the “wake screen” sequence.
  • If you’re on a tablet, press the volume up and volume down buttons at the same time, three times within two seconds. If you hear a short beep, then you know Windows is responsive, and it will attempt to refresh the screen.

If none of the above works for you, then your only other option is to simply reboot the system, which is beyond annoying.  Fortunately, however, it’s only temporary. The company is currently working on a fix (although whether it’s ready by Patch Tuesday remains to be seen).

While this is by no means the kiss of death, it is troubling that the last two updates have had major issues.  Unless the issue is identified and remedied, the company could be facing larger and more pervasive problems in the months ahead.

Firefox To Start Showing Ads On Tab Page

Before Google released its Chrome browser, Firefox felt pretty good about their arrangement.  They got a handsome reward in exchange for making Google.com their default search engine.  It was a win-win.

These days though, Firefox’s position is a bit more precious.  The Google deal is still the main source of the company’s income, but they’re also in direct competition with Chrome.  If Google one day decides to pull the plug on the deal, the company could find itself in dire straits indeed.

That’s why they’ve been casting about for some means of expanding and diversifying their revenue, and the strategy they’ve hit on is advertising.

Don’t worry, you’re not about to be buried under a mountain of annoying ads, but with the release of Firefox 60, any time you open a new tab, you’ll see a listing of recommended links based on your browsing history.

Anytime the conversation turns to “recommended links” it naturally brings privacy concerns to the fore.  After all, the only way Firefox can make sensible recommendations you’re likely to be interested in is to track your browsing habits.

Here though, the company has an innovative approach, because all the tracking happens on the client side, so Firefox doesn’t actually store anything. Although they will track how many of the “recommended links” you visit, so they can cull the list and remove any of the ones you don’t bother with, so they don’t keep reappearing.

On balance, it’s a good, even-handed approach that should solve the company’s revenue problems, while treading lightly on the good graces of their user base.

Like it or not, ads are an unavoidable consequence of the internet as it exists today.  At the very least though, Firefox deserves credit for not making excessive use of them, and for respecting the privacy of its users by coming up with a non-intrusive method of deciding what links to display.