Tag: Technology News

Hard Drives Susceptible To Sound Waves, Can Double As Microphones

File this one away under “obscure and terrifying.”

Recently, a security researcher named Alfredo Ortega, speaking at a security conference in Buenos Aires, unveiled research revealing that the hard drive in your computer can be, with a bit of work, turned into a rudimentary microphone and used to spy on you.

It should be noted that this hack only works on HDDs and takes advantage of the way they are designed. Understand that this isn’t a flaw; it’s simply the way the technology works.

An HDD cannot be read or written to if it is subject to vibration. Your machine has to wait for the oscillation to stop before it can perform an action. Modern OSs come with built in tools that measure HDD operations to the nanosecond, and herein lies the secret of Ortega’s discovery.

The longer the delay, the louder the sound, and the more intense the vibration, which leads to longer delays in the read-write function of the drive.

Knowing this, Ortega figured that it would be possible to work backwards and reconstruct the sound that caused the vibration on the HDD platters.

He was at least partially correct. While his reverse engineering technology is not yet sufficiently developed to pick up conversations, he notes that there is research that can recover voice data from very low-quality signals using pattern recognition. He figures that it’s just a matter of time before someone applies it to his research.

Per Mr. Ortega: “I didn’t have time to replicate the pattern-recognition portion of that research into mine. However, it’s certainly applicable. For that reason, I would not discard that additional data like voice could be recovered in the future.”

It’s not something to be worried about immediately, but the day’s coming when your own hard drive could be used against you.

Apple’s New Face ID May Have Been Compromised

Tech companies of all shapes and sizes have been on the hunt for the “Holy Grail” of security features since before the rise of the internet. So far, a number of strategies have been developed, but none have proved to be successful. Hackers have found ways around each and every one to date.

Apple recently made another attempt when they released their new iPhone X, complete with a new “ultra-secure” Face ID security feature, which was touted during the new phone’s September launch event. During that event, Apple’s Senior VP of Worldwide Marketing, Phil Schiller, had this to say about the new feature:

“Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID.”

Unfortunately, the new feature has proved to be somewhat less “ultra-secure” than was originally advertised. Just one week after Apple’s announcement, the Vietnamese security firm Bkav was able to unlock the iPhone X using a mask.

It cost the company roughly $150 to create the mask, which was built using a combination of 2d images, a bit of makeup and a few 3D-printed components, with special attention paid to the areas around the eyes, cheeks and nose (which was printed on a 3D printer).

A spokesman for Bkav had this to say about their efforts:

“Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means that the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

All that to say, don’t put too much faith in the new “ultra-secure” Face ID feature. It’s far from the bullet-proof security feature the company touted it as being.

Ransomware Continues To Evolve On Android Devices

Hackers around the world are continuing to innovate at a terrifying, relentless pace, and that truth is reflected in the latest form of ransomware to be found in the wild.

Dubbed “DoubleLocker,” this new strain targets Android devices. It uses and abuses the platform’s Accessibility Service, reactivating itself every time the user presses the phone’s “Home” button.

Initial forensic analysis of the code base reveals this new threat to be based on Svpeng, which is a nasty form of malware that has a rather infamous reputation among Android users. It is one of the best-known banking trojans on the platform, used to steal money from people’s bank accounts, change PINs, brick devices and demand ransoms to return them to operability.

Although DoubleLocker does not contain Svpeng’s banking hack features, it is a very advanced, highly sophisticated piece of code.

As with so many other malicious programs, it gains an initial foothold on the user’s machine by disguising itself as some other, perfectly legitimate program (most often, Flash Player). Once installed, if the user grants the app access, Android’s Accessibility service allows the app to mimic user screen taps and swipes, allowing it to navigate around on the user’s phone.

It immediately locks the user’s PIN with a ransom PIN code and encrypts all files on the device.

This is the most significant development, because previous to finding DoubleLocker in the wild, most other Android ransomware worked by simply locking the user’s phone. This one takes cues from PC-based ransomware and takes the added step of encrypting the files themselves.

Another intriguing difference is that while most ransomware is configured to send the user an unlock code once the ransom is paid, no such code is sent to a user infected by DoubleLocker. Instead, the hackers unlock the phone remotely, upon receiving payment.

For users impacted by DoubleLocker, the following advice has been offered by ESET:

“The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.

For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work the device needed to be in the debugging mode before the ransomware got activated.

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device admin rights for the malware and uninstall it. In some cases, a reboot is needed. As for data stored on the device, there is no way to recover it, as mentioned earlier.”

Some Computer Manufacturers Are Disabling Intel Chip Firmware

Intel is catching some flak for releasing CPU technology that’s filled with security flaws. At issue is Intel’s Management Engine (ME), which is designed for Enterprise use and is of no real value on equipment designed for personal or home use.

Although many popular PC and laptop manufacturers, including Acer, Panasonic, Lenovo, Fujitsu, HP and others are selling equipment with Intel ME enabled, so far, three hardware vendors have opted to disable the firmware.

These three vendors are Dell, System76 and a company called Purism. Of particular interest is the fact that Purism opted to disable the Management Engine almost a full month before Intel released any information about the security flaws in their technology. Apparently, someone else found a way to disable Intel ME, and the company decided to use it as a means of improving the privacy protections of its customers.

According to a recent blog post published by Purism:

“Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it. The Librem 13 and Librem 15 products can be purchased today and will arrive with the Management Engine disabled by default.”

The equipment manufacturers who are selling their wares with the Intel Management Engine enabled have all promised to patch the security flaws in a future update, but as of right now, none of those manufacturers have provided an ETA for when that might be.

In the meantime, if you’re looking to upgrade your equipment and you don’t want to expose yourself or your organization to unnecessary risk, buying from any of the three vendors mentioned above, Dell, System76 or Purism, is a smart choice. It gives your network security team one less thing to worry about, and that’s always a good thing.

Some Websites Can Force Your Computer To Mine Cryptocurrency

Researchers at Malwarebytes have discovered a new exploit that allows malicious website owners to use your PC to mine various forms of cryptocurrency, even if you exit the browser window the malicious site was displayed on.

The exploit relies on a smart pop-under trick. Code on the website determines your monitor’s resolution and places a ghost browser session sitting behind the clock on the MS Windows task bar, where it continues to mine cryptocurrency, utilizing a portion of your CPU’s power and resources.

The impact on your system’s performance is nominal, so only the most observant users will notice anything amiss.

According to Malwarebytes researcher Jerome Segura, “This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will show the browser’s icon with slight highlighting, indicating that it is still running.”

It’s worth noting that there are a couple of other ways you can determine whether some portion of your system’s resources are being coopted in this manner. Restarting your system will certainly do the trick, and if you have your taskbar set to transparent, you’ll be able to see the pop-under quite clearly. Also, resizing or relocating the task bar will reveal the hidden browser window.

This is but the latest chapter in the ongoing battle between hackers and unscrupulous website owners and the makers of adblocking and other types of security software. In time, ad blocking software will be modified to catch this type of exploit, and in response, the owners of malicious websites will change their approach and find a new way to get around various detection schemes. As ever, while software can certainly help, vigilance remains the best defense.

Firefox Doubles Its Speed With Latest Release

The new version of Firefox is out, and if you’ve moved away from the browser in recent years, it may be time to give it another look.

Dubbed “Quantum,” Firefox’s latest offering has been completely redesigned, and has a lot to like, not the least of which is its raw speed. This latest version is twice as fast and now handily beats Google Chrome in speed tests, thanks in no small part to its next-gen CSS engine, and the fact that it is the first browser to fully utilize the power of multicore processors.

It also consumes 30 percent less memory and positively sips battery power, making it a great choice for laptop and smartphone users.

In addition to that, the revamped browser offers improved tracker blocking, built-in screenshot functionality and of particular interest, support for WebVR, which enables webmasters to take full advantage of the capabilities offered by virtual reality headsets.

You can get Mozilla’s latest offering from their website right now if you’re a PC user, though you’ll have to wait a bit if you’re on a smartphone. The latest release is scheduled to appear on the Google Play Store in a matter of days, but there is, as yet, no ETA on when it will be appearing in Apple’s App Store.

Speed is life in business, and if you’re looking to squeeze out a bit more efficiency and performance from the machines on your network, the new Firefox browser is definitely worth checking out. It’s only a matter of time before the other major players catch up, but until they do, Firefox’s Quantum browser looks to be the new reigning king of the hill and represents a big win for mobile users, given the power savings on offer. Kudos to Mozilla for an exceptional update!

Granting Photo Access In iPhone Might Allow Unauthorized Photographing

An Austrian software engineer named Felix Krause has made a disturbing discovery about iPhones using iOS11. Once an app has been given permission to access the device’s camera, it can take pictures and videos without alerting the user and upload them to the internet in real time.

Unfortunately, there are a lot of apps that users grant camera permissions to. Basically, any time you upload an avatar or post a picture with an app, you’ve got to give it camera permissions to do that.

Krause documented his findings in a short video presentation. As long as an app with camera permissions was in the foreground, it could snap photos literally every second, all without the user being alerted to what was going on.

Krause was quick to point out that he wasn’t naming names, and so far, at least, there are no known instances of malicious apps abusing this flaw, nor are any legitimate apps misusing it to anyone’s knowledge. The simple fact that it is possible, though, opens the door to a whole host of malicious apps that could, and that’s disturbing.

For the moment, there are really only two ways to address the issue: either go in and modify all your apps’ permissions so that they no longer have camera access, or use lens covers to make it so that your front and back cameras can’t record anything unless you specifically want them to.

Longer term, there are a number of things Apple could do to address the issue. The two simplest fixes would be introducing expiring permissions for apps to allow for more precise user controls, or introducing LED lights that would activate any time the camera was in use, thus giving the user a clear visual marker.

In any case, for the moment, it’s important to know that your phone may be watching and/or recording you.

More Bad News For OnePlus Phone Users

OnePlus phones have been getting plenty of bad press lately, thanks to malicious apps found to be factory-installed on a percentage of the devices, along with some intrusive data collection features the manufacturer has installed. As it turns out, though, the story gets worse.

Recently, a security researcher going by the alias “Elliot Alderson” discovered a factory-installed application called “Engineering Mode” that can perform a series of intrusive hardware diagnostic routines, and can even be used to root the device. What’s worse is that security flaws in the app make it easy for hackers to exploit.

Alderson believes that the likeliest scenario for the existence of the Engineering Mode application is that it was a diagnostic app installed and used at the factory to test OnePlus phones prior to shipment.  Somehow, the app was never uninstalled after the initial testing was completed, exposing OnePlus users to extreme danger of losing control over their devices and any data stored on them.

According to Alderson, all a hacker would need is physical access to the phone. Once he has it in hand, one simple command is all it takes to root the phone. Other researchers have independently verified Alderson’s findings. Since he first published them, the company has admitted their mistake and promised to remove Engineering Mode from all OnePlus phones in a future update, although no ETA has given for when that might occur.

If you currently own and use a OnePlus phone, be aware of this and use with caution. Keep on the lookout for the update from the manufacturer which will remove the “feature” for you, but if you’d rather not wait, you can go into the phone’s settings and manually remove it.

Physical security of smart devices has always been vitally important, but in the case of the OnePlus, that’s doubly true. Keep it close!

Touch And Vibration May Be The Fingerprints Of The Future

Researchers at Rutgers University have hit upon a novel idea that could be a game-changer in terms of biometric identification. The team published a paper entitled “VibWrite: Towards Finger-input Authentication on Ubiquitous Surfaces via Physical Vibration,” and demonstrated a prototype of the device at the Association for Computing Machinery (ACM) conference in Dallas, Texas.

The new technology is a lesson in simplicity, consisting of a simple vibration motor and a receiver on most any solid surface (wood, metal, plastic, glass etc.). The motor sends vibrations to the receiver, and when the user touches the surface, the vibration waves are modified, creating a unique signature.

By itself, this isn’t terribly remarkable or exciting, because a single finger touching the surface in question doesn’t create a signature that’s unique enough for individual identification. On the other hand, combining that basic idea with the act of drawing a pattern or entering a PIN on a vibrating surface would create patterns of sufficient complexity to identify individual users, and that’s where the real magic is.

It should be noted that at this point, the technology isn’t ready for mass production, and the research team estimates that it’ll probably be another two years until it is. Among other things the group still needs to improve are:

• Accuracy – There’s not much more to be done on this front. The current model is 97 percent accurate, producing only three percent false positives. However, that last three percent is crucial.

• Sensitivity – At present, the most persistent complaint associated with using the new technology is that users often have to re-enter the PIN, or retrace the pattern multiple times before they can pass the device’s authentication checks.

• Weather – Ideally, these devices could be placed everywhere, but in order for that to become a reality, they’ll need to be tested in a wide range of temperatures and humidity levels, which hasn’t been done yet.

All in all, it’s an exciting new technology with tremendous possibilities. It’ll be interesting to see how well it is accepted by the market.

Epson Printer Having Issues? It Could Be A Microsoft Update

Do you have an older Epson printer that suddenly stopped working? If so, it may not be the printer at all, but a recent Windows update that lies at the heart of the issue.

German engineer Gunter Born tracked the problem to the following Microsoft Patches:

  • KB4048953 for Windows 10, Ver. 1607
  • KB4048954 for Windows 10, Ver. 1703
  • KB4048955 for Windows 10, Ver. 1709
  • KB4048957 for Windows Server 2012, R2
  • KB4048958 for Windows 8.1
  • KB4048959 for Windows Server 2012
  • And KB4048960 for Windows 7, Service Pack 1

These recent updates caused a malfunction where Epson dot matrix printers are not recognized if they are connected via USB cables.

Epson users noticed the problem immediately, of course, and the issue was reported on a wide range of support forums across the internet as users cast about desperately for a solution. Microsoft ended speculation into the matter fairly quickly, confirming the recent patches as the root cause of the issue, and promised that a patch to the patches was coming. As of now, though, we don’t have an ETA on when the fix can be expected.

In the interim, users can still make use of their printers by uninstalling the faulty updates. Gunter Born recommends running the following command in a cmd.exe window:

Wusa /uninstall /kb: xxxxx /quiet /warnrestart

If this command is run as Administrator, and “xxxxx” is swapped out for the faulty KB update you installed, printer functionality will be restored.

It’s far less than optimal, though, because those updates contained a variety of patches for security issues. However, if you need immediate access to that printer, until Microsoft issues a revised patch, it’s about the only option you’ve got. Just make sure your IT staff is aware so that they can be on the lookout for the update.