Tag: Technology News

Intel Taking Additional Steps To Prevent Security Flaws

By now, you’ve almost certainly heard of “Spectre,” one of two recently discovered security flaws that impact every chip made by Intel in the last ten years.

The story of Spectre, and Intel’s response to it has been an interesting one.  In response to the flaw’s discovery, Intel rushed a firmware patch, but quickly had to take it back and recommend that users not install  it, because it created as many problems as it solved.

Intel has since released a better, more stable patch, but hasn’t stopped there.  The company recently revealed that it is introducing various hardware protections against Spectre-like vulnerabilities that may be detected in the future.

According to Intel’s CEO, Brian Krzanich, “(We have) redesigned parts of the processor to introduce new levels of protection through partitioning.  As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical.  Our goal is to offer not only the best performance, but also the best secure performance.”

While that is welcome news for people planning to make purchases in the near future, owners of existing Intel-powered equipment will still have to have to rely on firmware updates for Spectre protection. This unfortunately comes with the tradeoff of a hit to CPU performance.

In tandem with that update, the company also announced that as of now, they have firmware updates available for all of its products launched within the last five years.  This coupled with their recent partnership with Microsoft to help deliver Spectre updates to their legions of impacted customers should provide peace of mind, even with the expected hits to system performance.

Unfortunately, with new variants of Spectre and Meltdown being discovered on a regular basis, this is likely not the last we’ll hear about this issue.

Researchers Find Major Vulnerabilities In Banking Apps

Do you do your banking online?  If so, there’s bad news in the form of a report recently released by the security firm “Positive Technologies.”

The company tested a variety of websites using a proprietary tool they developed in-house, which scans websites for security flaws.  While flaws were found across a wide range of industries, literally every banking site Positive Technologies tested was found to have serious security flaws.

The particulars varied from one bank to the next, but the security flaws included:

  • XML external entity errors
  • Arbitrary file reading and modification flaws
  • Expired or nonexistent SSL certificates
  • Poor or nonexistent encryption

Some banking websites were so flawed that a hacker could execute a ‘man in the middle’ attack and execute malicious code to infect the user’s machine. They could potentially make off with all their money and with more than enough information to steal their identity.

Some 80 percent of sites tested were found to be vulnerable to XSS (cross-site scripting) attacks.

Regardless of the specific vulnerability, the big, terrifying takeaway from the Positive Technologies report is simply this:  Of the financial sites they tested, 100 percent of them were found to have vulnerabilities.

These are the people who are tasked with safeguarding your money, and they’re obviously not doing enough to keep their websites secure.

Firewalls and basic detection protocols are simply not enough.  The hackers of the world have matured and gotten better at what they do, and security professionals simply haven’t been improving as quickly.  This is the reason we’re seeing such a massive spike in high profile data breaches.  The reason is that each year is a new, record-breaking year, beating out the one before, often by a wide margin.

Until that changes, everyone is at risk.  Given how important the internet has become to international commerce and modern life, that’s simply unacceptable.

Attackers Targeting Job Seekers Via Listings And Recruitment

Cyber-criminals around the world are increasingly focusing their attention on job seekers.  According to the security firm Flashpoint, there has been a notable uptick in ploys involving phony job listings that attempt to get job seekers to give up personal information.

Perhaps the biggest surprise is the fact that this is only now becoming a growing threat.  After all, from the cyber-criminal’s point of view, it’s low hanging fruit.  Job seekers expect that they’ll be asked for all types of personal information when applying for positions, after all.

As long as the criminals take the time to make their offers appear legitimate, most applicants wouldn’t think twice about sending in their resume (complete with physical address and phone number), and then, a bit later in the process, their social security number and other personal and confidential information.

According to Flashpoint analyst David Shear, it’s not just personal information the criminals are after, however.  Increasingly, criminals are seeking to engage the services of the people who “apply,” by using them as unwitting money mules, or using them as part of an intricate money laundering scheme.

On top of that, it’s all too easy for the criminal to respond to an applicant’s inquiry with an email containing an attachment (usually a poisoned PDF).  Again, since the applicant thinks he (or she) has replied to a legitimate offer for employment, odds are excellent that they’ll open the attachment without hesitation.

At that point, whatever payload the poisoned file contained is installed onto their computer, which can have devastating consequences, depending on the nature of the malware the criminals want to install.

Shear also notes that he and his team have seen an increase in the number of inquiries on the Dark Web asking after compromised business accounts, and offers this explanation as to why: “Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.”

All that to say, job seekers beware.  It seems that no low is too low where these criminals are concerned.

Apple Recall Affects Some Macbook Pro Batteries

If you recently bought a 13-inch MacBook Pro (without a Touch Bar), you’ll want to head to Apple’s website.  The company didn’t make a big announcement, but they’ve quietly introduced a battery replacement program that impacted what the company described as a “limited number” of laptops.

The company didn’t provide many details, but apparently, on certain machines an unknown component failure can cause the built-in battery to swell.  There’s no danger of an explosion and no fire hazard associated with the failure, but the company is playing it safe and offering to replace the batteries on any affected laptop, free of charge.

According to details on Apple’s website, the laptops in question were manufactured between October 2016 and October 2017.  If you visit the webpage, you can enter your machine’s serial number to see if your machine is affected, and thus eligible for the free replacement.

At this time, it’s unclear precisely how many machines this issue has impacted. But clearly, Apple wants to put this issue to rest as quickly as possible.

Battery swelling is a strange symptom, but surprisingly, this is not the first time Apple products have suffered from similar issues.  Not long ago, Apple’s 42mm Smart Watches suffered a similar problem, prompting the company to issue a similar recall.  The company also recently extended their warranty on first-gen Apple Watch models by two years, offering free battery replacements for up to three years after the date of purchase.

These recent moves have caused iPhone owners to cry foul.  On the heels of the Apple “Throttling” drama last year, the company offered a discounted battery replacement program to help bring older iPhones with failing batteries back to full speed.  While Apple’s $29 discounted battery price is a significant savings over the regular price of $79, some users argue that the batteries should have been free for these products as well.

Google Changing Name Of Android Wear Without Updates

Wearable computing devices from smart watches to glasses are struggling to find an audience, and Google’s Android Wear operating system hasn’t gotten much love in recent years.  It has weakened as major players in the tech space have struggled to find a market for these products. On the face of it, these products would seem to be wildly popular, but still haven’t quite captured the imaginations of a critical mass of the consuming public.

Google’s recent announcement that it was rebranding Android Wear to “Wear OS,” is the most significant move we’ve seen in over a year. However, without significant updates, simply changing the name isn’t going to improve the OS’s visibility or viability.

The name change was driven by the fact that when the OS was first released, it appeared only on smart watches, but the company later added iPhone compatibility, which made the name less than perfectly applicable.  In a blog post related to the rebranding effort, Google referred to Wear OS as “a wearables operating system for everyone.”

It’s hard to make a convincing argument that Google is all that interested in wearables.  One needs only to compare the company’s handling of Wear OS with the way Apple handles wearable products and OS’s.

We had to wait two and a half years between the version 1.0 and version 2.0 of Wear OS.  Android Wear was released more than 13 years ago, and since its release, the company hasn’t made any updates or announcements except for the recent blog post announcing its rebranding.

There are some signs that Google has long term plans for the floundering operating system, though.  The company has been recruiting high-profile brands including Tommy Hilfiger, Michael Kors, Hugo Boss, Guess, Gc, Fossil and others to make and sell Android watches.  It will be interesting to see what the company does in coming months.

Microsoft Ending Forum Support For Older Operating Systems

Big changes are coming from Microsoft starting in July (exact date unknown), and it has potentially dire implications if you’re using some of the company’s older technology.

Microsoft announced that in July, they’ll no longer provide forum-based support for a wide range of products and software, including:

  • Microsoft Band
  • Zune
  • Surface Pro
  • Surface Pro 2
  • Surface RT
  • Surface 2
  • Microsoft Security Essentials
  • Internet Explorer 10
  • Office 2010
  • Office 2013
  • Windows 7
  • Windows 8.1
  • Windows 8.1 RT

Although the company didn’t cite a specific reason for the change, it seems obvious that this is another move to push people into buying the latest and greatest of the company’s offerings.  Unfortunately for them, the announcement has been met with more than a little hostility, and for good reason.

Consider that the company has pledged to continue to support Windows 7 until 2020, and Windows 8.1 (and variants) until 2023.  Given that we’re still quite some distance from those EOL dates, closing an important avenue of support for a product the company is still ostensibly supporting seems a bit premature.  Nonetheless, there’s no indication at this time that the company has plans to extend the forum support for any of these products beyond July.

In some instances, this won’t prove to be problematic.  Few people still use Internet Explorer 10 as anything more than a curiosity, and Zune was never especially popular, so the loss of those forums isn’t likely to cause much backlash. However,  in the case of Windows 7 and 8.1, not only has the company pledged support for years to come, but those products are still actively used by a significant minority around the world, and those users aren’t thrilled with the recent announcement.

In any case, given that the company is unlikely to change course, this is all the more reason to make upgrading a priority if you’re still using any of the products mentioned above.

Bank Employee Steals Info On Over A Million Customers

Atlanta-based SunTrust Bank is the 12th largest bank in the US. They have a major problem, and so do roughly a million and a half of its customers.  According to CEO William Rogers, an unidentified employee of the firm printed a vast amount of private customer information, including their names, addresses, phone numbers and account balance information.

Rogers stressed that social security numbers, account numbers, driver’s license numbers, user IDs, and passwords were not exposed.  In a recent press release, he had the following to say:

“In conjunction with law enforcement, we discovered that a former employee while employed at SunTrust may have attempted to print information on approximately 1.5 million clients and share this information with a criminal third party.

We and third parties have done forensic analysis on these accounts and we have not identified significant fraudulent activity regarding the effect of the accounts.”

Even so, this is a blow to the company’s image, and the lost trust won’t be easily regained.  It also underscores how vulnerable companies are to internal threats.

In response to the attack, SunTrust is offering ongoing IDnotify identity protection (offered through Experian) to all its current and new clients at no cost.

The company’s handling of the issue so far has been about as good as can be expected.  The unfortunate reality is that there aren’t many good ways of stopping a rogue employee from making off with sensitive customer data or proprietary company information.  Better auditing protocols and controls can help, but only to a certain extent.  While those kinds of policies make it easier to detect when an internal theft has occurred, they do nothing to actually prevent them.

This puts management in a tricky spot.  Employees have to be trusted with sensitive data in order to do their work, which also increases risk.  There aren’t many good solutions here beyond better vetting of employees, but of course, that is by no means a magic bullet either.

New InvisiMole Malware Turns Your System Into A Video Camera

Another week, another new threat.  This time, in the form of a new strain of malware that researchers are calling InvisiMole.  The new threat was discovered by researchers at ESET, who found it on a number of hacked computers in Russia and the Ukraine.

While the researchers have yet to trace the software back to the group that developed it, based on the available evidence, the campaign appears to be tightly targeted and highly selective.  Only a few dozen computers have been found to be infected, although all impacted systems are both high-profile and high-value.

As for the software itself, it’s a nasty piece of business capable of quietly taking control over an infected system’s video camera and capture audio. This allows them to both see and hear anything going on in the vicinity of the system.  Essentially then, InvisiMole turns your computer into a compromised Amazon Echo.

Based on the sophisticated design of the software and the fact that the researchers have yet to be able to trace it back to the source, it’s believed that it has been developed by (or at least in partnership with) an unknown state actor.  Although the current campaign is small and highly targeted, given its capabilities, InvisiMole could easily become a much more serious threat.

Even worse, it’s entirely possible that the original developers could lose control of the code, or that some other hacker group could reverse engineer it, causing it to spread far and wide.

Research into the software is still ongoing, and at this point ESET can’t say with certainty how the malicious payload is being delivered to target machines. Of course, at present, there is no antivirus software defense against it.  Stay on your guard.  You never know who might be watching.

Are Lasers The Answer To Completely Wireless Computing And Charging?

Researchers at the University of Washington just might change the face of computers and computing forever.  It may seem like the stuff of science fiction, but based on their research, the day may soon be coming when computing devices are completely un-tethered, requiring no wires for either power or recharging.

The team was able to successfully charge a smartphone from across a room using nothing more than lasers.  Right now, their approach has an effective range of about forty feet.  Devices are detected by way of acoustic “chirps” which occur below the threshold of human hearing.  Once a target device is located, the laser charging system sends power to them using laser light, with no damage to the target device.

Right now, the power transfer is limited to just a couple of watts. However, the researchers don’t see any obstacles that would prevent scaling of the power transfer, meaning it could easily be modified to power PCs.

Wireless Power Transfer (WPT) is not a new idea.  In fact, it’s in use today in such things as smartphones and electric toothbrushes.  The problem, at least until now, has been a matter of range, which has been virtually nonexistent until the University’s game-changing experiments.

The big breakthrough wasn’t in sending power to a device via laser.  Scientists have known that was possible for quite some time.  The issue though, was that when lasers (or microwaves) were used to send power, they were invariably hazardous to humans in the area. In addition, they often fried the electronics they were attempting to power.  The research team seems to have solved for both of those problems.

While the technology is still quite some distance from being commercially available, this is a huge leap forward.  This could forever change the way we interact with our computing devices, and that change could come much sooner than anyone ever imagined.

Yahoo Messenger Will Shut Down In July

It’s the end of the line for Yahoo Messenger.  As of July, it will be no more, marking the end of an era.

The announcement comes just six months after AIM (the old AOL messaging program) was shut down.  The first major messaging programs from the early days of the internet will soon be a thing of the past.

Users will have six months to download their chat histories from Yahoo Messenger. If they  haven’t gotten what they need by then, they’ll lose their chance forever.

It probably won’t come as a major blow to most people.  Although it used to be one of the most popular and widely used communications programs, its popularity has slipped markedly in recent years, to the point that there’s little justification in continuing support for it.

The company had this to say on the matter:

“We know we have many loyal fans who have used Yahoo Messenger since its beginning as one of the first chat apps of its kind.  As the communications landscape continues to change over, we’re focusing on building and introducing new, exciting communications tools that better fit consumer needs.”

Currently, the company has no direct replacement for Messenger.  The closest match would be a group messaging app called “Yahoo Squirrel,” which is currently in beta.  Users interested in the new tool can request an invitation at squirrel.yahoo.com.

For the rest of us, Yahoo Messenger’s loss isn’t likely to cause problems from a business perspective. This, along with Microsoft’s retirement of the venerable MS Paint, serves as a reminder that the internet is growing up.  Many of the tools we’ve used and taken for granted for years are now fading away.  It’s a brave new world.