Tag: Recent News

Windows 10 Gets New Set Of Recommended Security Standards

Microsoft has introduced a new set of standards designed to make computers running Windows 10 more secure.

Obviously, these standards are not industry requirements, and most of the off-the-shelf PCs you can buy will struggle to meet all of these requirements. In time, of course, that could change, but as things stand now, if you’re interested in making your computer as safe and secure as it possibly can be, this is a road you’ll have to go down on your own and make the necessary mods and additions to your existing equipment. Here’s the summary, in a nutshell:

• 7th generation AMD or Intel Processors, because these contain MBEC (Mode-Based Execution Control)
• 64-bit processor architecture to take advantage of VBS (Virtualization-Based Security)
• Support for AMD-Vi, Intel VT-d, or ARM64SMMUs (this, to take advantage of Input-Output Memory Management Unit device virtualization)
• Purchase a Trusted Platform Module, if one is not already built into your existing chipset
• Make use of Platform Boot Verification to prevent the loading of firmware that was not designed by the manufacturer of your system
• A minimum of 8GB of RAM
• Use a system that implements UEFI (Unified Extensible Firmware Interface) 2.4 or above
• Systems should also support the Windows UEFI Firmware Capsule Update specification
• All drivers used should be Hypervisor-based Code Integrity compliant

At first blush, this list seems a bit daunting, but the cost requirements to better secure the Windows 10 PCs on your network are really not as bad as they first appear. In fact, it is possible to find a few off-the-shelf PCs that meet the newly published security standards, so if you’re ready to replace some of your network equipment, you do have at least a few options that don’t require you to custom build.

In any case, although it’s true that the new standards aren’t a magic bullet, they will certainly go a long way toward making your network as a whole more secure, making them a welcome addition indeed.

Hard Drives Susceptible To Sound Waves, Can Double As Microphones

File this one away under “obscure and terrifying.”

Recently, a security researcher named Alfredo Ortega, speaking at a security conference in Buenos Aires, unveiled research revealing that the hard drive in your computer can be, with a bit of work, turned into a rudimentary microphone and used to spy on you.

It should be noted that this hack only works on HDDs and takes advantage of the way they are designed. Understand that this isn’t a flaw; it’s simply the way the technology works.

An HDD cannot be read or written to if it is subject to vibration. Your machine has to wait for the oscillation to stop before it can perform an action. Modern OSs come with built in tools that measure HDD operations to the nanosecond, and herein lies the secret of Ortega’s discovery.

The longer the delay, the louder the sound, and the more intense the vibration, which leads to longer delays in the read-write function of the drive.

Knowing this, Ortega figured that it would be possible to work backwards and reconstruct the sound that caused the vibration on the HDD platters.

He was at least partially correct. While his reverse engineering technology is not yet sufficiently developed to pick up conversations, he notes that there is research that can recover voice data from very low-quality signals using pattern recognition. He figures that it’s just a matter of time before someone applies it to his research.

Per Mr. Ortega: “I didn’t have time to replicate the pattern-recognition portion of that research into mine. However, it’s certainly applicable. For that reason, I would not discard that additional data like voice could be recovered in the future.”

It’s not something to be worried about immediately, but the day’s coming when your own hard drive could be used against you.

Apple’s New Face ID May Have Been Compromised

Tech companies of all shapes and sizes have been on the hunt for the “Holy Grail” of security features since before the rise of the internet. So far, a number of strategies have been developed, but none have proved to be successful. Hackers have found ways around each and every one to date.

Apple recently made another attempt when they released their new iPhone X, complete with a new “ultra-secure” Face ID security feature, which was touted during the new phone’s September launch event. During that event, Apple’s Senior VP of Worldwide Marketing, Phil Schiller, had this to say about the new feature:

“Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID.”

Unfortunately, the new feature has proved to be somewhat less “ultra-secure” than was originally advertised. Just one week after Apple’s announcement, the Vietnamese security firm Bkav was able to unlock the iPhone X using a mask.

It cost the company roughly $150 to create the mask, which was built using a combination of 2d images, a bit of makeup and a few 3D-printed components, with special attention paid to the areas around the eyes, cheeks and nose (which was printed on a 3D printer).

A spokesman for Bkav had this to say about their efforts:

“Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means that the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

All that to say, don’t put too much faith in the new “ultra-secure” Face ID feature. It’s far from the bullet-proof security feature the company touted it as being.

Paypal-Owned Company Sees Breach Of 1.6 Million Customers

TIO Networks, a cloud-based, multi-channel bill payment platform purchased by Paypal for $233 million in 2017, was breached earlier this year, exposing PII (Personally Identifiable Information) for an estimated 1.6 million of the service’s users.

TIO Networks primarily does payment processing and accounts receivables for cable, utility, wireless and telecom companies in North America. If you do business with TIO, it’s possible that your company or personal information may have been compromised.

So far, neither Paypal nor TIO Networks has released any significant details about the breach, so we do not yet have any indication of how it happened, who was responsible or exactly which of their customers had their information exposed. Paypal did release a brief statement concerning the incident, which said, in part:

“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.”

The statement went on to say that as soon as PayPal identified the breach, they took action by “initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO’s bill payment platform.”

For their part, TIO Networks has suspended all operations until the investigation into the matter has been completed, and has begun notifying impacted customers. In addition to that, as is common with situations like these, they’re also working with Experian to provide a year’s worth of free credit monitoring for people who were affected.

A part of TIO’s statement about the incident reads as follows: “At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills….We sincerely apologize for any inconvenience caused to you by the disruption of TIO’s service.”

Apple Is On Track To Become A Trillion Dollar Company

Recently, Apple’s stock closed at $175.88, giving it a market valuation slightly above $900 billion. A Drexel Hamilton analyst named Brian White predicts that over the course of the next twelve months, the company’s stock could be trading as high as $235 per share, and at that price, Apple’s market valuation would be over one trillion dollars, making it the only trillion-dollar company on the planet.

“With a market cap of over $900 billion, we believe Apple is on its way to becoming a ‘trillion dollar baby’ as reflected in our price target. We were the first on Wall Street to project that Apple would reach a $1 trillion market cap as reflected by a price target; our current price target of $235 equates to approximately a $1.2 trillion market cap.”

Mr. White is not alone. Another analyst, Amit Daryanani, working for RBC Capital Markets, has made a similar prediction, stating:

“In our view, Apple’s quarterly results will be less important this summer as investors are focused on the iPhone 8 this fall, along with the company’s raised capital distribution initiative, depressed valuation and potential new innovations. We believe Apple remains among the most underappreciated stocks in the world.”

If you don’t yet own stock in the company, now would probably be a great time to buy. As Apple edges closer to the one trillion-dollar threshold, it’s sure to generate an increasing number of headlines, which will increase interest in the company and push the stock price higher still, hastening the day when it hits the mark.

If you already own a stake in the company, hold onto it, and if you concur with Daryanani’s assessment, add to it as you’re able. You could soon be the proud owner of a tiny slice of investment history.

Ransomware Continues To Evolve On Android Devices

Hackers around the world are continuing to innovate at a terrifying, relentless pace, and that truth is reflected in the latest form of ransomware to be found in the wild.

Dubbed “DoubleLocker,” this new strain targets Android devices. It uses and abuses the platform’s Accessibility Service, reactivating itself every time the user presses the phone’s “Home” button.

Initial forensic analysis of the code base reveals this new threat to be based on Svpeng, which is a nasty form of malware that has a rather infamous reputation among Android users. It is one of the best-known banking trojans on the platform, used to steal money from people’s bank accounts, change PINs, brick devices and demand ransoms to return them to operability.

Although DoubleLocker does not contain Svpeng’s banking hack features, it is a very advanced, highly sophisticated piece of code.

As with so many other malicious programs, it gains an initial foothold on the user’s machine by disguising itself as some other, perfectly legitimate program (most often, Flash Player). Once installed, if the user grants the app access, Android’s Accessibility service allows the app to mimic user screen taps and swipes, allowing it to navigate around on the user’s phone.

It immediately locks the user’s PIN with a ransom PIN code and encrypts all files on the device.

This is the most significant development, because previous to finding DoubleLocker in the wild, most other Android ransomware worked by simply locking the user’s phone. This one takes cues from PC-based ransomware and takes the added step of encrypting the files themselves.

Another intriguing difference is that while most ransomware is configured to send the user an unlock code once the ransom is paid, no such code is sent to a user infected by DoubleLocker. Instead, the hackers unlock the phone remotely, upon receiving payment.

For users impacted by DoubleLocker, the following advice has been offered by ESET:

“The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.

For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work the device needed to be in the debugging mode before the ransomware got activated.

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device admin rights for the malware and uninstall it. In some cases, a reboot is needed. As for data stored on the device, there is no way to recover it, as mentioned earlier.”

Top Subject People Fall Victim To Is – Data Breach Notification

For hackers around the world, success breeds more success, it seems.

A company called KnowBe4 has released a report entitled “Top Ten Global Phishing Email Subject Lines For Q3 2017.” To prepare it, they analyzed email subject lines from simulated phishing tests to determine what the most effective approach was.

Their findings were that “Official Data Breach Notification” was the hands-down winner, generating far more click-throughs than any other.

Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer had this to say about the report:

“Phishing attacks are responsible for more than 90% of successful cyber-attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats.

We see urgency and fear of a breach as the drivers. We have over 1400 templates and a concentration of themes so we know what is highly effective. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders, and their clients to prevent phishing schemes.”

Wise words, and the first step on the path to prevention is knowing what triggers are the most effective, which makes the KnowBe4 report especially valuable to data security teams, regardless of what business your company is in.

The irony, however, is inescapable.

The reason that “Official Data Breach Notification” is such a devastatingly effective phishing headline is simply that the hackers have been devastatingly effective. Barely a day goes by that we are not greeted by some grim headline and a news story recounting the woes of yet another company suffering from yet another massive breach resulting in hundreds of thousands, millions, or more consumer data files stolen.

They are, in a very real sense, leveraging the power of their own success to become even more successful, and that’s sadly not likely to change anytime soon.

Some Computer Manufacturers Are Disabling Intel Chip Firmware

Intel is catching some flak for releasing CPU technology that’s filled with security flaws. At issue is Intel’s Management Engine (ME), which is designed for Enterprise use and is of no real value on equipment designed for personal or home use.

Although many popular PC and laptop manufacturers, including Acer, Panasonic, Lenovo, Fujitsu, HP and others are selling equipment with Intel ME enabled, so far, three hardware vendors have opted to disable the firmware.

These three vendors are Dell, System76 and a company called Purism. Of particular interest is the fact that Purism opted to disable the Management Engine almost a full month before Intel released any information about the security flaws in their technology. Apparently, someone else found a way to disable Intel ME, and the company decided to use it as a means of improving the privacy protections of its customers.

According to a recent blog post published by Purism:

“Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. The Librem 13 and Librem 15 products can be purchased today and will arrive with the Management Engine disabled by default.”

The equipment manufacturers who are selling their wares with the Intel Management Engine enabled have all promised to patch the security flaws in a future update, but as of right now, none of those manufacturers have provided an ETA for when that might be.

In the meantime, if you’re looking to upgrade your equipment and you don’t want to expose yourself or your organization to unnecessary risk, buying from any of the three vendors mentioned above, Dell, System76 or Purism, is a smart choice. It gives your network security team one less thing to worry about, and that’s always a good thing.

Some Websites Can Force Your Computer To Mine Cryptocurrency

Researchers at Malwarebytes have discovered a new exploit that allows malicious website owners to use your PC to mine various forms of cryptocurrency, even if you exit the browser window the malicious site was displayed on.

The exploit relies on a smart pop-under trick. Code on the website determines your monitor’s resolution and places a ghost browser session sitting behind the clock on the MS Windows task bar, where it continues to mine cryptocurrency, utilizing a portion of your CPU’s power and resources.

The impact on your system’s performance is nominal, so only the most observant users will notice anything amiss.

According to Malwarebytes researcher Jerome Segura, “This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will show the browser’s icon with slight highlighting, indicating that it is still running.”

It’s worth noting that there are a couple of other ways you can determine whether some portion of your system’s resources are being coopted in this manner. Restarting your system will certainly do the trick, and if you have your taskbar set to transparent, you’ll be able to see the pop-under quite clearly. Also, resizing or relocating the task bar will reveal the hidden browser window.

This is but the latest chapter in the ongoing battle between hackers and unscrupulous website owners and the makers of adblocking and other types of security software. In time, ad blocking software will be modified to catch this type of exploit, and in response, the owners of malicious websites will change their approach and find a new way to get around various detection schemes. As ever, while software can certainly help, vigilance remains the best defense.

Watch Out For New Facebook “Trusted Friend” Scam

If you can’t trust your friends, who can you trust?

No one, apparently.

There’s a new scam on Facebook that’s making waves, and it’s one you should be mindful of. You may get an “urgent message” from someone you know, asking for your help in recovering their Facebook account.

This is a tried and true phishing scam, relying on some basic psychology. After all, if you get an earnest sounding message from someone you know explaining that you’re listed as one of their “Trusted Friends” and as such, uniquely positioned to help verify their identity so they can get access to their account back, who wouldn’t instinctively respond? This is exactly what the scammers are hoping for.

The message goes on to explain that they’re sending an unlock code to your email address, and they just want you to reset the password for them.

Unfortunately, the unlock code is nothing of the sort. Instead, it triggers a password reset for your own account. If you click the link and “reset your friend’s password,” then reply back, helpfully telling him or her what the new password is, you’ve inadvertently given your own login information to the hackers. From there, the sky’s the limit.

What makes this latest scam particularly problematic is that so many other web properties allow you to use your Facebook login details to access them, which is a roundabout way of saying that you’re using the same login credentials across multiple websites – one of the most basic and pervasive problems of user security in existence.

There’s no real defense for this other than vigilance, and if you see a message like this, simply ignore it. If your “trusted friend” genuinely needs help regaining control of their account, Facebook has resources to assist.