Tag: Recent News

No Spectre Fix For Certain Intel Processors

The bad news just doesn’t seem to stop where Intel and the Speectre vulnerability are concerned.  The latest bit of news comes directly from Intel, as the company admits that it’s just not possible to address the Spectre vulnerability in some of its older hardware. This means that nine families of chips and more than 230 models of computers (mostly manufactured between 2007 and 2011) will remain vulnerable to Spectre forever.

The company has stopped Spectre mitigation development on the following families of chips:

  • Bloomfield
  • Clarksfield
  • Gulftown
  • Harpertown Xeon
  • Jasper Forest
  • Penryn
  • SoFIA 3GR
  • Wolfdale
  • Yorkfield

A company spokesman had this to say about the recent announcement:

“We’ve now completed the release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google.  However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”

It’s unfortunate, but not entirely unexpected.  If you have any older Intel equipment still in service at your company, have your IT group check the processor family. If it’s one of the above, it’s well worth marking those systems high priorities for upgrades, and limiting their use until you can.

Spectre is a devastating flaw, and it’s just not worth the risk to leave exposed systems connected to your network and in service. This is especially true now that it’s official that no help is coming for certain older systems.

Even worse, AMD chips, which are not impacted by Spectre and Meltdown, have since been found to have their own critical security flaws.  While not as bad or as pervasive as the two Intel is facing, they will nonetheless require the company to issue its own microcode updates, which they are currently scrambling to do.

The long and the short of it is that there really are no safe harbors anymore.

Panera Bread Customer Accounts Exposed To Threats

Panera Bread company is the latest to find itself in hot water.  Recently, security researcher Dylan Houlihan discovered that the company had failed to encrypt (or otherwise protect) a file containing usernames, email addresses, physical addresses, phone numbers and loyalty account numbers for a staggering thirty-seven million of its customers.

The file was found stored as plain text, and accessible to anyone who bothered to go looking for it. The good news is that no one appears to have absconded with the data, so odds are that even if you’re a Panera customer, you’re not at risk. The bad news is that Panera’s handling of the incident to this point has been dreadful, to say the least.

First, the company was slow to even acknowledge that there was a problem, and when they did, they attempted to downplay the number of users the oversight impacted.  Second (the truly disturbing part of the ongoing story), even when the company did acknowledge the scope and scale of the incident, they left the plain text file on the website. It was completely unsecured until the security professional (Houlihan) contacted them a second time.

To date, their most detailed response has been that the investigation into the matter is ongoing.

There’s a harsh lesson here for any business owner.  This is a textbook example of how not to respond to an incident like this.  There are so many different things Panera could have done to make this a non-issue. The first of which would have been to immediately take the file down or secure it. Next, to immediately notify all the customers on the list (just in case the file had been downloaded by hackers). Lastly, issue a detailed action plan that assured customers that the company was taking steps to make sure something like this would happen in the future.  Sadly, exactly none of that has happened.

Be Careful, Searches May Provide False Download links

If you’re downloading software from the web, be careful.  Take the extra step of verifying that you’re on the developer’s website, because the hackers have a new trick up their sleeve.  It’s actually a deceptively simple one.

Hackers are buying ads on Google and Bing’s search engines, with the links in their ads pointing to malicious sites they control.

This is an almost shockingly simple technique, and broadly speaking, it works like this:

Searches are keyword-based.

Anyone can bid for advertising space on the major search engines.  The higher you bid on any given search term, the more often your ad gets displayed.

Ads are always displayed at the top of the search results, with the organic results coming below them.  Bid high enough on a high traffic keyword, and your ad gets seen by lots of people.

The danger, of course, is that people tend to trust search engine results to take them where they want to go. Often, users won’t pay much attention to the site URL they’re being directed to.  Hackers take advantage of that fact, putting poisoned sites literally right under the noses of unsuspecting users.

Recently, researchers discovered that if you search the term “Chrome download” on Bing, the ad that most commonly gets displayed doesn’t take you to Google’s download area. It takes you to a poisoned site that offers malware disguised as Chrome, and a high percentage of users are clicking the link and downloading without paying attention to where they are.

This kind of campaign is possible because hackers are making tons of money elsewhere, stealing personal information and reselling it.  They’ve got money to spend, and are spending it to further extend their reach.

The lesson here is simple: Even if you’re on a popular search engine, pay close attention to where the links are leading on the search results page.  Failing to do so can have tragic and expensive consequences.

T-Mobile Site Leaked Data On Millions Of Customers

<img class=”alignnone size-full wp-image-7947 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/t-mobile-site-resized.jpg” alt=”” width=”300″ height=”225″ />ZDNet Researcher Ryan Stevenson recently found a big problem on T-Mobile’s website regarding an unprotected API.  As a result of the flaw, untold millions of T-Mobile’s customers’ account information was left exposed and completely unprotected.  Literally anyone who stumbled across the site and tried to abuse it could access a wide range of customer information with no password required.

<strong>This includes, but is not limited to:</strong>
<ul>
<li>Customer name</li>
<li>Phone number</li>
<li>Mailing Address</li>
<li>Account Number</li>
<li>The status of the account (current, past due, suspended, etc.)</li>
</ul>
In an unknown number of cases, tax IDs and PINs were also exposed.

T-Mobile has a bug bounty program and pays a bounty to anyone who discovers a flaw that impacts the company.  Stevenson received a $1,000 reward for discovering the issue, and subsequent research revealed that the flaw had been present on the company’s website since October, 2017 or prior.

T-Mobile’s handling of the incident has been less than stellar so far.  Although they have acknowledged the existence of the issue and have already moved to correct it, the company has issued no information relating to how many customer records were exposed.

There is no evidence that any of the exposed records were inappropriately accessed. Typically, when an incident like this occurs, the company in question provides details relating to the scope and scale of the incident, informs all potentially impacted customers and usually provides a year of free credit and identity monitoring.  So far, none of that has occurred.

While it’s certainly possible that the company may take these steps in the future, we were both surprised and disappointed that they had not already done so, especially given the fact that this was essentially a self-inflicted wound.  Here’s hoping that in the days ahead, they do something to earn back the lost trust.

Google Wants Children Watching YouTube Kids App

More often than not, Google is seen as a force for good on the internet. However, in one area in particular, their actions and words haven’t been in alignment, and it’s gotten them in trouble.

Here’s Google’s official statement about their YouTube Kids service:

“Protecting kids and families has always been a top priority for us.  Because YouTube is not for children, we’ve invested significantly in the creation of the YouTube Kids app to offer an alternative specifically designed for children.”

That statement is true as far as it goes, but there’s an important catch.  The YouTube Kids app is frustratingly difficult to get.  You can’t install it on your Xbox.  Most smart TV’s on the market today don’t support it, and you can’t put it on a PC.  Aside from a few models of LG and Sony smart TVs, and smartphones, it’s just not an option.

Contrast that with the regular YouTube app, which has been rolled out to just about every platform there is, and it’s easy to see where Google’s primary focus is.

It’s not hard to understand the reasoning behind the difference in availability.  One of the key differences between YouTube and YouTube Kids is that the latter doesn’t have targeted advertising, while the former does. Google makes a lot of money on YouTube ads.  It’s simple economics.

Unfortunately, it’s also gotten the company into hot water.  They’ve had complaints from more than 20 consumer advocacy groups, who have banded together and taken their case to the FTC.

In part, the complaint reads as follows:

“Google has made substantial profits from the collection and use of personal data from children on YouTube.  Its illegal collection has been going on for many years and involves tens of millions of US children.”

Ultimately, what the advocacy groups want is for Google to move all kid-centric content over to YouTube kids. However, the company would be extremely reluctant to do that because their kid-friendly app has such limited availability.

This is a thorny issue with no easy answers, and at this point, it’s unclear how Google is going to respond to the complaint.

FBI Advises Users To Reboot Their Routers

Cisco’s Talos Security Team has identified a new threat, and it’s a nasty one impacting more than half a million consumer-grade routers in the US.  According to the Talos Team’s report, the new malware is impacting a broad cross-section of routers made by TP-Link, QNAP, Netgear, Mikrotik, and Linksys.

Known as “VPNFilter,” the malware currently infecting routers appears to be the first stage in a multi-phase attack, with the first segment allowing the hackers to collect a wide range of communications data and slave the device to launch attacks on others.  The code also contains a kill command that allows the hackers to destroy the device at will.

As of now, the FBI has already taken swift action and has seized a domain used by the hackers as a means to deliver the later stages of the attack. They report that the primary and secondary means of further infection have been dismantled.  They also report, however, that the hackers still have a fallback method of infection, which relies on sending “poisoned” data packets to each infected device.

Based on an evaluation of the code and the presence of redundant mechanisms for delivering the later stages of the infection, the code has been traced to a Russian hacking group with deep ties to the Russian government.  The group is known by a variety of names, including Fancy Bear, Sofacy, APT 28, and Pawn Storm.

On the heels of seizing the domain, the FBI released a statement that includes:

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.  Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled.  Network devices should be upgraded to the latest available versions of firmware.”

Windows 10 Gets iTunes App For Apple Users

Apple promised that its iTunes app would be available on the Microsoft Store by the end of 2017.  The announcement was greeted with enthusiasm, but unfortunately, the company didn’t meet their own deadline. They cited the need for more time to build a more robust user experience for Windows users.

The wait is finally over, and its big news, because some Windows 10 machines can only download apps, and prior to this, iTunes was offered as a standalone download only.

The app is fairly sizeable, weighing in at 476.7MB, and is compatible with both x86 and x64 PCs.

A recent Microsoft blog post had this to say about the announcement:

“Now you can download iTunes from Microsoft Store and easily play your favorite music, movies and more – right from your Windows 10 PC.  iTunes is also home to Apple Music, where you can listen ad-free to over 45 million songs and download your favorites to enjoy without using WiFi.  iTunes is free to download, and you can try Apple Music free for three months.  There’s no commitment, and you can cancel anytime.”

One thing to be aware of is that if you already have an older version of iTunes installed on your machine and you download this app, it will automatically replace your older version.  It is recommended, therefore, that you back up your data before downloading the latest.  While it does offer a better user experience, it’s not worth the loss of your existing library of files.

Kudos to both Apple and Microsoft here. Apple for bringing an excellent free app to the Microsoft Store, and Microsoft for continuing to play nice with their longtime rival, and allowing their massive user base the pleasure of enjoying a portion of Apple’s wonderfully robust ecosystem.

Apple Users Are Getting Group Facetime

Apple’s Legions of users love FaceTime, but there’s a problem with the highly popular app.  It only allows you to see and talk to one person at a time.  Apple fans have been clamoring for Group FaceTime for almost as long as the app has existed, and soon, they’ll get their wish.

Beginning with iOS 12, Group FaceTime will finally be “a thing,” allowing you to simultaneously talk with up to 31 of your contacts.  Even better, the new functionality will allow you to turn any iMessage group chat into a group FaceTime session, and switch back to iMessage at will.

Don’t want to be on camera in a group setting?  Apple has an answer for that too.  The company has announced that when Group FaceTime is rolled out, you’ll be able to place an Animoji over your face, or apply one of several different photo filters to disguise you. This is because they know that some days, you just might not feel “camera ready.”

At the end of the day, Group FaceTime is probably going to be a lot like tabbed browsing was for many users.  Until you try it, and until it’s readily available, you won’t truly appreciate its value. Once you try it for the first time, it won’t be long before you’re unable to imagine life without it.  It’s a cool, indispensable addition whose time has come.

Kudos to Apple’s loyal fan base for keeping Group FaceTime on the radar, and kudos to Apple itself for finally listening to their customers and giving them what they want.  While we could quibble that they took longer than we’d like to make this feature a reality, in the end, they listened.  That is the essence of business, isn’t it?  Giving your customers what they want.

Can Computer Data Be Stolen Through Power Lines?

If you have an air-gapped computer, you probably think you’re safe.  You may think that barring physical access to the machine, no hacker could possibly steal the data on that machine.  Unfortunately, you’d be incorrect.

Security researchers from the Ben Gurion University of the Negev, in Israel, have discovered a new way of stealing data using power lines.  While that may sound like science fiction, it’s actually real and a genuine threat, even to computers thought to be highly secure.

If you’re not familiar with the term, an air gapped computer is one that is isolated from local networks and the internet.  Because it’s not connected to anything, these machines have long been regarded as the ultimate in data security and are used by governments and corporations to store their most sensitive data.

Here’s what the researchers had to say about their discovery:

“As a part of the targeted attack, the adversary may infiltrate the air-gapped networks using social engineering, supply chain attacks, or malicious insiders.  Note that several APTs discovered in the last decade are capable of infecting air-gapped networks (e.g. Turlal, RedOctober and Fanny).

However, despite the fact that breaching air-gapped systems has been shown feasible, the exfiltration of data from an air-gapped system remains a challenge.”

Up until now, anyway.

The researchers have dubbed this new technique “PowerHammer,” and it accomplishes the task of siphoning data from air-gapped systems by creating fluctuations in the flow of electrical current to create a Morse-code-like pattern, which can be used to create a simple binary system.

That accomplished, the only other thing that’s needed is a piece of hardware to monitor the flow of electricity as it passes through power lines and then, decode the signal.  According to the research team, data transfer speeds of up to 1000bps can be achieved.

This should scare the daylights out of anyone in data security.

Embedded Sound Waves Could Damage Your Computer

It seems like a new attack vector emerges on a weekly basis, and this week is no exception.  The latest threat:  Emails containing specialized audio files whose acoustic vibrations can damage your computer’s hard drive. This is possibly damaging to the point of causing system failure, data corruption, and making it impossible to successfully reboot your machine.

As the researchers point out, “Intentional acoustic interference causes unusual errors in the mechanics of magnetic hard disk drives in desktop and laptop computers, leading to damage to integrity and availability in both hardware and software such as file system corruption and operating system reboots.  An adversary without any special-purpose equipment can co-opt built-in speakers or nearby emitters to cause persistent errors.”

It should be noted that as scary as this type of attack sounds, in practice, it is of limited value.  An increasing percentage of laptops and desktop PCs sold today come with SSDs for storage, which are not vulnerable to this type of attack.

In addition to that, not just “any” sound will do.  For the attack to be successful, the acoustic vibrations have to be strong enough to do real harm, and quiet enough that the attack is difficult to detect, lest it be aborted immediately.  The combination of those two factors make it unlikely that this one will gain widespread attention from the hacking community.  Nonetheless, it pays to be both mindful and vigilant, especially if you have an older PC or work in an office with older equipment.

The research team who discovered the new attack vector have created a new sensor fusion model that could be delivered through a firmware update.  Once updated, it would prevent unnecessary head parking in the hard drive, thus limiting the potential damage the attack could cause.  So far, there has been no word that PC manufacturers are considering making the necessary changes to their firmware.  Time will tell.