Tag: Technology News

New Vulnerability May Expose Encrypted Emails 

Security researchers at the Electronic Frontier Foundation (EFF) have discovered a dangerous new email vulnerability called “Efail.”  Exploiting this new email vulnerability would allow hackers to decrypt emails encrypted with either PGP or S/MIME – including emails that were sent several years earlier.  Both of these encryption tools are commonly used by politicians, journalists and other professionals who need a secure means of electronic communication. Since the standards are so well established, they’re used widely and regarded as fool-proof.  Sadly, that’s no longer the case.

EFF researchers had this to say about the newly discovered vulnerability:

“In a nutshell, Efail abuses active content of HTML emails (for example, externally loaded images or styles) to exfiltrate plaintext through requested URLs.  The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim.  The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

In simpler terms, it’s about as bad as it could possibly get.  Once a hacker has access to your email account, they can use the embedded HTML tags inside your mail to force your email system to decrypt those messages so the hackers can see exactly what they contain.

EFF’s recommendation is that if you rely on either PGP or S/MIME for email encryption, your best bet is to simply disable them, and uninstall the tool or tools used to decrypt those messages.

It should be noted however, that there are others in the security community who disagree with this assessment.  A spokesman for ProtonMail tweeted out the following response:

“Efail is a prime example of irresponsible disclosure.  There is no responsibility in hyping the store to @EFF and mainstream media and getting an irresponsible recommendation published (Disable PGP), ignoring the fact that many (Engimail, etc.) are already patched.”

Despite the divided opinion, if it’s something you’re concerned about, you can neatly side step the problem by simply opting for plain text messages, rather than using HTML-emails.

New Chips Support Increased Network Speeds To 400Gbps

Marvell Semiconductor has a new product out, and it’s a game changer.  Their new “Alaska” chip (the Alaska C 88×7120) is the first on the market to support the new 802.3 standard.  The 802.3cd is on tap to eventually replace current Ethernet ports running at 25Gbps to 100Gbps with ports that will run at 50Gbps, 200 Gbps, and 400 Gbps.

The future is now.

Granted, the Alaska chips aren’t for sale just yet, but they are sampling to customers (“Sampling” in the chip world is akin to beta testing in software).  The chip supports sixteen 50 Gbps ports, four 200 Gbps ports, and two 400 Gbps ports, which will quadruple network output.  Even better, the new chips support both copper and fiber-optic wiring, as well as SerDes (long-reach serialization/deserialization) on system and line side interfaces, allowing OEMs to use the chips for wide-area interfaces.

Also of interest, the new chips use PAM4 (pulse-amplitude modulation), which is a four-level signaling scheme that’s designed to replace NRZ (non-return to zero) binary modulation, and even better, the new PAM4 protocol will be backwards compatible with NRZ hardware.

The port density on the new chip has been optimized to enable both Quad Small Form Factor Pluggable – Double Density and Octal Small Form Factor Pluggable port types for 500 GbE, 200 GbE, and 400 GbE deployments.

If all of those technical details make your head spin, not to worry.  The short of it is that once these chips go mainstream, network output is going to increase dramatically, which means that network speeds are about to get even faster.

Unless you run or manage a huge data center, you’ll probably never have direct contact with these chips. However, as big data centers begin deploying them, you’ll absolutely see the benefits.

More Bad News From The Equifax Breach 

<img class=”alignnone size-full wp-image-7903 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/data-breach-equifax-resized.jpg” alt=”” width=”300″ height=”225″ />The news just keeps getting worse for Equifax.  The company has already had to revise their estimates of how many people were impacted by last year’s breach more than once, and now, they’re having to revise their estimate yet again.  This latest revision comes after company officials had to testify before Congress, which has been formally investigating the matter.

<strong>Prior to the release of Equifax’s latest “statement of record,” here’s a snapshot of how bad the data breach was:</strong>
<ul>
<li>5 million consumers had their Social Security numbers compromised</li>
<li>99 million consumers had address information exposed</li>
<li>3 million consumers had gender information exposed</li>
<li>3 million consumers had their phone numbers exposed</li>
<li>209,000 consumers had their credit card numbers exposed</li>
<li>97,500 consumers had their Tax Identification numbers exposed</li>
</ul>
<strong>Now, in addition to all of that, the company is adding the following:</strong>
<ul>
<li>6 million consumers had their driver’s license numbers exposed</li>
<li>12,000 had their Social Security and Taxpayer ID cards exposed</li>
<li>3200 consumers had their passports exposed</li>
<li>An additional 3000 had other documents, such as military and state ID’s compromised</li>
</ul>
As bad as it looks that the company has to keep revising their estimates upward, there’s a logical reason for it.  The data that was stolen didn’t come from a single database.  On top of that, the databases themselves all had highly variable structures, which has made it exceedingly difficult for forensic analysts to accurately assess the extent of the damage.  All that to say, since the process is still ongoing, we may see yet another upward revision of the scope and scale of the breach.

Of course, the company is doing what most companies do in cases like these:  They’re offering a year’s worth of free credit monitoring to impacted customers.  The ironic part of their offer though, is the fact that Equifax is offering their own credit monitoring service free for a year, which converts to a paid monitoring service after the year is up.  As Congressional officials rightly pointed out, this means that the company is essentially profiting off of its own breach, which is disturbing to say the least.

Most “Wannacry” Hacks Were On Windows 7 Machines

Last year’s Wannacry attack was bad, but in many ways, it was a self-inflicted wound.  According Webroot’s recently published “Annual Threat Report,” almost all of the machines that succumbed to the Wannacry attack were running Windows 7.  That attack is estimated to have caused in excess of $4 billion in total losses.

The central problem is that businesses have been much slower than individuals to make the shift from Windows 7 to the much more secure Windows 10.  For example, in January 2017, only one Enterprise computer in five was running Windows 10, a figure which climbed to 32 percent by year’s end.

Contrast that with the number of Enterprise computers running Windows 7.  In January 2017, a staggering 62 percent of Enterprise computers were still running Windows 7.  That figure declined as the year went on, but only marginally, dropping to 54 percent by the end of the year.

Meanwhile, Windows 8 was running on 5 percent of Enterprise computers in January 2017, and had dropped to 4 percent by the end of the year.  Windows Vista and XP both represented a tiny fraction (less than 1 percent) of Enterprise OS’s.

Contrast that to the Windows 10 migration figures for individuals.  In January 2017, 65 percent of home users had made to switch to Windows 10.  By the end of the year, that figure had grown to an impressive 72 percent.

A Webroot spokesperson had this to say about the report:

“While Windows 10 won’t solve all security woes, it’s a step in the right direction.  Combined with advanced endpoint protection that uses behavioral analysis and machine learning, adopting Windows 10 can greatly reduce enterprises’ vulnerability to cyber-attacks.”

All that to say, if you haven’t moved away from outdated operating systems at your company, this is yet another compelling reason to do so immediately.  No matter what legacy systems you may be running that rely on old OS’s, it’s just not worth the risk.

New Freemium Offer Mines Cryptocurrency

Freemium software is certainly nothing new.  They are free apps that offer premium features if you don’t mind ads displaying while you’re using it or paying a small fee to have the ads removed.  At least one company is trying a new business model on for size, albeit with limited success.

The company is Qbix, and their freemium app is called “Calendar 2.”  It’s a solid calendar app with more features than Apple’s default app, and the Qbix offers its users premium features if they’re willing to allow the company to make use of CPU cycles to mine cryptocurrency.

Hackers around the world have been enslaving the computers of unsuspecting users and using their processing power to mine cryptocurrency, all while making millions in the process. However, this is the first instance we’ve seen of a company attempting to bring the business model mainstream.

Unfortunately, there were two issues with the release of the latest version.  First, there was a bug in the way the mining app was implemented that kept it running, even if users opted out of the default setting (which is, of course, to accept the arrangement).

Second, and even more disturbing, the mining software consumed twice as much processing power as the calendar app claimed that it would.  Both flaws were discovered by Calendar 2 users, who did not have nice things to say about the app and expressed their concern that Apple had allowed the app on the App Store in the first place.

For Apple’s part, the company seems to have no problem with the revenue scheme, provided that the offering company gets the consent of the user. Although given Calendar 2’s less-than-spectacular-success with the idea, the company may well change their Terms of Service to forbid it going forward.

Microsoft Is Issuing Surface Book 4 Replacements

Do you own a Surface Book 4?  If you do, you may have been unfortunate enough to get one that suffers from a peculiar screen flickering issue.  It’s not known exactly how many Surface Book 4’s have been affected by the issue, but thousands of angry users have been comparing horror stories about it on various discussion forums around the web.

For their part, Microsoft has been very slow to even acknowledge the existence of the issue, even though there are some user videos showing the screen flicker in real time. In addition, there are videos of various crude hacks and workarounds owners have been using to get the screen to behave normally. These have included popping their computers in the freezer or running a hair dryer over them.  Even when these “fixes” worked, they only worked for short periods of time.

Finally, the company has officially acknowledged the problem, and have now begun offering to replace the units for anyone dealing with “Flickergate.”  Sadly, it’s too little, too late for some frustrated users, who have shelled out an average of $450 to replace the problematic screens on their own.

If you have a Surface Book 4, are dealing with the aggravating screen flicker issue and haven’t replaced it on your own yet, stop by Microsoft’s website and follow the prompts to see if you qualify for a replacement.

Over the past couple of years, Microsoft has done a good job at demonstrating nimbleness and responsiveness to customer complaints, which makes their handling of Flickergate more than a little disappointing.  Our hope is that in the months ahead, whatever shape or form the next issue the company faces might be, they’ll return to recent form and be much more responsive than they were this time around.

Apple May Soon Say Goodbye To Intel Chips

Rumors have been circulating for years that Apple has plans in the works to cut Intel and their chips out of the equation, in preference for using their own custom chips in its laptops and desktop computers.  Their iPhones and other devices already use custom chips, and according to the latest buzz, the move is designed to foster seamless interaction and cross-compatibility across the entire Apple ecosystem.

Back when such rumors initially began circulating, it was believed that the driving force behind Apple’s desire to cut Intel out of the equation was simply that they were looking to increase their profits.  Under the conditions of the current arrangement, Apple pays 5 percent of its profits to Intel in exchange for use of that company’s chips.  That, combined with the fact that using Intel chips makes it relatively easier for competitors to copy Apple’s innovations combines to create a compelling reason.

Nothing has come of those rumors for more than a decade, but the most recent iteration of the rumor may have some teeth to it. This is considering Intel’s ongoing troubles with the Spectre and Meltdown vulnerabilities that impact all Intel chips made during the last decade.  Put that together with the above, and suddenly it seems like Apple has a lot of incentive to want to make a change.

The company’s stock took a hit on the heels of the rumor, but most in the Apple community feel it would be a net benefit to the company.  Not only would it give their products a competitive edge, but it would also allow Apple more control over their product development roadmap and ecosystem.

A recent Bloomberg report notes that Mac Pro laptops are slated to begin shipping with an Apple proprietary chip in the place of Intel’s hardware beginning next year.  In addition, according to the latest buzz, Apple plans to complete the transition across their entire product line by the year 2020.

More information on this topic as it becomes available.

Now Is A Good Time To Upgrade To SSD Drives

If you’ve been considering swapping out some of your old HDDs to SSDs, now is a great time to do so, thanks to the convergence of two factors.

First is the fact that the manufacturers of SSDs have been  making strides in terms of increasing the capacity of the drives they’re offering. They are doing this while simultaneously offering other enhancements that reduce data duplication, making their products faster and more efficient than their HDD counterparts.

Second is the fact that there is currently a dramatic oversupply of memory chips, which has been allowing SSD manufacturers to lower the prices of the products they’re selling.

According to a recently released report from DRAMeXchange:

“The oversupply will continue in NAND Flash market, where suppliers face the pressure to consume production capacity.”

The company is anticipating that the average price of enterprise PCIe SSDs and SATA SSDs could fall by ten percent or more over the course of the next quarter.  Further, the firm notes that the enterprise SSD market has been growing at a blistering pace.  This year, they expect that the sales of SSDs will top 30 million units, up from less than 20 million just last year, and the company expects a similar rate of growth for at least the next three years.

It seems that businesses of all shapes and sizes are enthusiastically lining up behind SSD technology, and with good reason.  Not only are the prices increasingly attractive, but manufacturers are really going the extra mile by offering a raft of new capabilities, in addition to more overall storage capacity.

Obviously, this convergence of factors won’t be long-lived, so if you’ve been planning to upgrade your equipment, now is the time to do so before the winds change direction and prices start to increase again.

Credit Card Breach Hits Two Large Companies

Delta Airlines and Sears Corporation have both been notified of a data breach that has exposed the credit card information of some 100,000 Sears customers and “hundreds of thousands” of Delta customers.

Neither Delta nor Sears were breached directly. A live chat service called [24]7 (used by both companies), was breached, allowing access to Sears and Delta customer data including credit card numbers, CVV numbers, expiration dates, and cardholder names.

There are several wrinkles and interesting pieces of information that go hand in hand with this news.

First, if a customer has a Sears-branded credit card, their data was definitively not compromised.  Second, according to [24]7, the breach of their system occurred on September 27, 2017, but the incident was not reported to either Sears or Delta until five months after the incident occurred.

Attempts to reach out to [24]7 to discover why it took them five months to notify their impacted customers have been met with silence.  All the company will say about the matter is that the investigation is ongoing.

For their part, both Sears and Delta have been handling the fallout from the incident as well as can be expected.  They’re in the process of notifying impacted customers, and free credit monitoring will be offered.

The key problem, however, is this:  Since [24]7 waited five full months to notify Sears and Delta, any fraudulent charges that may have been made on customer credit cards have likely already been made. In addition, linking them to the breach at this point is going to be an uphill battle to say the least.

Security researcher Craig Young, who has been following the issue, had this to say:

“Time is a critical factor for preventing fraud whenever there is a breach of financial data.  Delta has assured customers that they won’t be held responsible for fraudulent charges, but it seems likely that if fraudulent charges related to this have not already been identified, there is little hope they will ever be connected to this breach.”

Indeed, [24]7’s handling of the incident is a classic example of how not to handle an incident like this. Continue reading Credit Card Breach Hits Two Large Companies

Coca Cola Breach Proves Employees May Be Significant Threat

<img class=”alignnone size-full wp-image-7918 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/coca-cola-resized.jpg” alt=”” width=”300″ height=”225″ />Coca-Cola is the latest company to fall victim to a data breach.  Unlike some of the others that have recently made headlines, however, this one was conducted from within.

In September 2017, an employee at one of the company’s subsidiaries stole an external hard drive containing personal data belonging to more than 8,000 company employees.  Law enforcement officials notified the company when the drive was confiscated, but urged them not to make a public announcement regarding the incident until their investigation had been concluded.

Coca-Cola complied with this request, which is why we’re only hearing about it now.  Once the company got the green light from law enforcement, they notified all impacted personnel via a letter, which included::

“Our investigation identified documents containing certain personal information for Coca-Cola employees and other individuals that was contained in the data held by the former employee.  We do not have any information to suggest that the misappropriated information was used to commit identity theft.”

As is becoming standard practice in the aftermath of such incidents, the company also announced that it would offer one free year of identity monitoring to the people impacted by the breach.

This latest announcement serves to drive home one of the main points made in a recently conducted survey, “The Global State of Information Security Survey 2018,” which concluded that insider threats are one of business’ top security concerns.

This breach is significantly smaller in both scope and scale than some of the others we’ve seen so far this year.  However, the company is still suffering backlash, which has impacted both the trust of its employees and the company’s stock price.  As of now, the company’s stock price is down nearly 4 percent over the last three months, with additional losses likely in the near term.