Tag: Technology News

Large Number Of HP Models May Have Keyloggers

HP is in the news again. If you missed the initial story, earlier in the year, it was reported that an audio driver that came pre-installed on a number of HP laptops contained keylogging code that stored every key stroke made by the person using the machine to a human-readable file. Once discovered, HP issued a patch that removed the keylogging function and deleted the data file.

Now, an independent security researcher going by the name “ZwClose” has discovered more built-in keyloggers in 460 HP Notebook models and counting.

At issue is the SynTP.sys file, which is an integral part of the Synaptics Touchpad driver that ships with a great many HP Notebooks. Although the keylogger is disabled by default, a hacker could enable it using open source tools, simply by changing a registry value.

After HP was notified, the company released a security advisory, which included the following:

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”

Since the release of the security advisory, HP has issued a driver update that removes the code for all affected models, so from a business and security standpoint, there’s nothing to be done here.

In an era where privacy on the internet is under increasingly intense assault, however, it’s worth noting that this is the second time an issue like this has been tied to HP equipment, and that’s concerning.  Privacy matters, and if you’re concerned about it, then two such issues might be enough to make you start looking at some other vendor when it comes time to start replacing or upgrading your equipment.

Android Gets Fix For KRACK WiFi Vulnerability

Last month, a new WiFi security vulnerability known as “Krack” was discovered by a security researcher named Mathy Vanhoef. It was about as serious as a security flaw could be, enabling hackers to clone a router and funnel traffic through it, either monitoring all the activity on the network, or, if they wanted to be more destructive, conducting all manner of “man in the middle” attacks against anyone on the network.

The major tech companies were all given advance notice of Vanhoef’s research, and as such, not long after it was published, many responded almost immediately with patches. Apple, for example, released a Krack patch at the end of October.

Microsoft was even quicker to respond, releasing a patch to the problem quietly before Vanhoef’s research was even published.

In that regard, Google has been a bit behind the curve, but as of the release of this month’s Android Security Bulletin, the company has at last provided a fix for the issue.

This month’s update is spread over the following three updates:

• 2017-11-01
• 2017-11-05
• And 2017-11-06

The fix for the Krack issue is contained in this last one.

If your Android device is set to automatically receive security updates, then there’s nothing for you to do. The patch has already been installed on your phone.

If you tend to take a skeptical view of automatic updates, then at the very least, be sure to grab 2017-11-06. If you don’t, you’re probably putting your organization at unnecessary risk. If you want to check to see if you’re vulnerable before applying the update, you can do that, too. Vanhoef released his proof-of-concept code and detection tools on his GitHub account, and since releasing the data, an interested third-party has developed a tool aptly named “Krack Detector” you can use to see if you need the fix.

Either way, it’s worth looking into, and something your team should make a priority.

Issue With Android Could Let Someone Record Screen And Audio

Do you have an Android phone? Is it running either Lolipop, Marshmallow or Nougat? Those three account for slightly more than 75 percent of the Android phones in service today, so odds are excellent that you do. If so, you should be aware of a nasty vulnerability that could allow a hacker to perform at-will screen captures and audio recording without your knowledge.

The issue resides within Android’s MediaProjection service, which has been a part of the OS since its earliest days. The reason that it has only recently become an issue, though, is that prior to the release of Android Lolipop (version 5.0), third-party apps couldn’t make use of it. It required both root-level access and the app in question had to be signed with the device’s release keys, which meant that only system-level apps deployed by Android OEMs could utilize MediaProjection.

That changed with the release of Lolipop, which opened the service up so that anyone could use it.  Unfortunately, when Google relaxed access to the service, they didn’t put it behind a permission that apps could require from users. All a third-party developer needs to do to access MediaProjection is to make an “intent call” that would show a System UI popup, warning users that an app wanted to capture the screen and/or system audio.

Here’s the problem, though. Security researchers discovered that an attacker could detect when the system popup would appear, and knowing that piece of information, they could trigger some other message to appear on top of it, effectively blinding the phone’s owner to the fact that screen captures and audio recordings were in process.

Since the discovery of the security flaw, Google has released a patch that addresses it. Unfortunately, the patch only applies to Android Oreo (8.0). Older phones are still vulnerable.

If there’s one saving grace, it is the fact that the attack is not completely stealthy, and observant users will note the screencast icon in the phone’s notification bar. It’s far from perfect protection, but it’s something, so be aware if you’ve got an older Android phone.

Many Businesses Found To Be Running Old Microsoft Office Versions

When an operating system reaches the end of its supported life, such as Windows XP, NT and Vista have, it’s big news. It makes headlines. When other forms of software reach the end of the line, there’s just not as much fanfare. It’s not that it’s not important; it’s just not something people think or care very much about.

They probably should, at least according to a recently released survey by Spiceworks, which revealed statistics that were both shocking and dismaying. Here are a few of the highlights:

• Fully 68 percent of businesses surveyed are still running instances of Office 2007, in spite of the fact that the software stopped receiving security updates in October
• Nearly 50 percent (46 percent to be exact) are still running Office 2003
• 21 percent are still running Office 2000
• 15 percent are running Office XP
• And three percent are amazingly still running some instances of Office 97

Of particular interest was the fact that most of the firms running outdated software are mid-sized companies employing between 100 and 1000 people. Large companies have the resources to keep their software up to date and smaller firms, recognizing their lack of resources, have readily moved to embrace Office 365, which is always up to date, and thus, saves them money and headaches.

Those firms stuck in the middle, though, and possibly your own company, find themselves in a tricky position. They’ve invested heavily in productivity tools, then found themselves in the unenviable position of not having the resources to keep them fully updated, and of course, are reluctant to lose their investment by switching to Office 365.

It’s undeniably a balancing act, but the reality is that if your company is using outdated productivity tools, your risks of a breach are higher than they should be. It’s something that’s too important to gloss over or delay. If you’re using an outdated version of Office or other productivity tools, find a way out of that box as soon as is feasible. Your data security staff will thank you for it, and it’ll give you peace of mind.

Always Connected Laptops Could Be The Next Generation Of Hardware

What’s the next big thing for the PC world? If the industry’s major players have anything to say about it, it will be the “always-on” PC.

Forget about plugging into your company’s network. Forget about free WiFi Hotspots. With an always-on PC, you won’t have to worry about either. If they’re not available, your PC can connect via the same cellular data network your smartphone uses, which means you’ll always be just a few mouse clicks away from your data.

It sounds fantastic, but there is, of course, one giant wrinkle in the equation: cost. More specifically, although several major hardware manufacturers are planning to sell always-on PCs soon, nobody knows how much the data plans will wind up costing in the longer term.

A few telecommunications companies have already given some indications here. T-Mobile has announced that its ONE unlimited service will be available for $20 a month. AT&T’s rates are significantly higher, charging $30 a month for 3GB of DataConnect data, and Verizon is charging $10 a month per gigabyte of data.

Depending on how much data you’re working with, that can get expensive very quickly. You could easily wind up paying more on your data plan than the PC itself set you back, and that’s before taking into account what impact the recent reversal on the Net Neutrality policy may have going forward.

One thing’s for certain: carriers won’t be able to get away with charging too much for the service, or customers will simply opt not to play the game, preferring to continue to flock to free WiFi hotspots as they’re doing now.

The first always-on PCs will start shipping in 2018, at which time we’ll find out how anxious the market is to embrace the new feature, and what kind of premium they’ll be willing to pay for it. Stay tuned.

DirecTV Genie DVR May Have A Major Vulnerability

If you have a Genie DVR system, you should be aware of a major security flaw in the firmware that could allow a hacker to take complete control over the device.

At issue is the equipment offered by AT&T as part of their free DireTV WVB Kit. Researchers of the ZDI initiative and Trend Micro discovered a zero-day vulnerability in one of the core components of the system, Linksys WVBR0-25, which is a Linux-powered wireless video bridge. It is this bridge that allows customers to connect up to eight Genie client boxes connected to television sets in customers’ homes.

Trend Micro researcher Ricky Lawshae took a deep dive into the firmware and was able to get the Linksys WVBR0-25 to divulge a wealth of information from the device’s web server, without requiring any sort of authentication whatsoever. There wasn’t even a login screen, just a wall of easy-to-access text, which included:

  • Customer WPS PIN
  • Connected clients
  • Processes currently running

And more. Lawshae had this to say after completing his investigation:

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point I became pretty frustrated.

The vendors involved here should have some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent simple yet impactful bugs from reaching unsuspecting consumers.”

It gets worse, though. When the ZDI Initiative reported this security flaw to the manufacturer, rather than issuing a patch to correct it, they simply ceased all communication. After more than six months of trying, and getting nowhere, ZDI decided to publicize the vulnerability in the hopes that doing so would finally prompt the company to take action.

Until they do, about your only option (aside from simply canceling your service) is to limit the number of devices that can interact with Linksys WVBR0-25 so as to limit your exposure.

Latest iOS Version May Have Bug That Changes Your Letters

If you’re using an Apple device running iOS 11.0.3 or 11.1, you may have noticed some oddities when sending text messages. For reasons that aren’t quite clear, the letter “I” is being replaced by the characters “A[?].” It’s not a game-breaking bug, but it is annoying, and if you’re not paying attention, it can make for some rather mystifying text messages.

Fortunately, Apple is on the case, and the company has announced that they’ll have a fix for the issue in their next release. If you’d rather not wait, there are several things you can do in the meantime to work around the issue. In no particular order, these are:

• Simply disable Apple’s predictive text auto-correct feature. If you rely on it frequently, this may slow you down some, but is probably the most straightforward approach to take at the moment.
• Install a third-party keyboard app because these use their own predictive text features.
• Or, take Apple’s recommendation and set up a text replacement rule (essentially replacing “I” with “I”).
If you opt for this last approach, you’ll want to go into your phone’s settings, look under the general tab, then keyboard, and choose “Text Replacement.”

Tap the plus sign (+), then, for “phrase,” type in an upper case “I”. For shortcut, type a lower-case “I.”

Save that change, and you should be all set.

To reiterate, this isn’t a huge deal, and it’s hard to see how this could cause anything but a bit of annoyance and perhaps a few scattered miscommunications. Even so, if you send more than a handful of text messages during the course of a typical business day, it’s probably worth spending a few minutes implementing one of these simple workarounds until Apple can ride to the rescue with a permanent fix.

Apple Might Be Working On Universal Apps Across Mac, iOS

Apple has been quietly working on something called “Project Marzipan” for a couple of years now, and it appears that they’re getting closer to unveiling it.

The company seeks to bring its MacOS and iOS platforms closer together by developing universal apps that will work in either environment. This mirrors Microsoft’s Universal Windows app strategy, where apps can detect the environment they’re running on and adjust their display and navigation accordingly.

Project Marzipan presents some real challenges for Apple because MacOS programs use an entirely different set of development tools, although there is some overlap. The programming language called Swift, for example, can be used to make apps that run in either environment, and if the company placed a greater emphasis on it, the process of creating their own universal apps would be greatly simplified.

The thinking behind Marzipan seems to be driven by the company’s desire to breathe new life into the Mac App Store, which hasn’t seen nearly the level of success as their iOS Store. The move would be a boon to developers because creating a common platform would allow Mac app developers to get their product in front of more potential customers.

Another potential reason is that the company may be planning to ultimately merge MacOS and iOS into a singular operating system that runs every Apple product. It’s a compelling theory, but the company has said nothing to confirm it.

In any event, if Apple goes ahead with Marzipan, and at this point, all indications are that they will, then we can expect a public announcement to that effect at next year’s World Wide Developer Conference. The first of the universal apps should appear not long after that, although the process of merging the two app stores and building out a robust collection of universal apps could take more than a year.

Corporate Attacks On The Rise Through Vulnerable Printers

Few things are more ubiquitous in an office environment than printers. Of course, these days, most printers are much more than simply that. They can also scan, copy and even send emails. As such, they’ve become an increasingly attractive option to hack, according to the latest data released by Barracuda Networks.

The reason is simple. Most printers aren’t as well protected as PCs and other devices on your network. They’re the weak point in your company’s defensive armor.

The upsurge in this type of attack seems to be focused on Cannon, HP and Epson printers, and works like this:

A printer is compromised and used to send spoofed scanned attachments, usually bearing an innocuous subject line such as “Scanned From HP,” “Scanned from Epson” or “Scanned from Cannon.”

Most employees don’t think twice about opening such attachments because they appear to be from a legitimate source inside the company, which is, of course, exactly what the hackers are counting on.

While any sort of payload can be delivered in this manner, the most common strain found installs a back door on the target PC, allowing the hackers to:

  • Monitor behavior and log keystrokes
  • Change computer settings
  • Copy files
  • Access other connected systems
  • And more.

In a clear indication that the malware could be used to launch a ransomware style attack, it also gives the hackers the ability to replace the PC’s wallpaper with any file they choose.

Employees should be more mindful about this type of attack and always double check to make sure the sender is valid. Also, it’s important to hover over the links embedded in such emails in order to be sure they’re valid before clicking on them.

If you haven’t been on the receiving end of an attack like this yet, count yourself lucky and stay vigilant.

Older iPhones Are Being Purposefully Throttled, According To Apple

Not long ago, observant Reddit users noted and began discussing a curious phenomenon. It appeared that older iPhones were unexpectedly slowing down, and no one could name the reason why.

It caught the attention of a number of security researchers who delved more deeply into the issue, including a man named John Poole, who confirmed the Reddit claims. His tests confirmed that on iPhone 6s and 7s, Apple made tweaks to iOS versions 10.2.1 through 11.2.0.

These changes are designed to throttle the phone’s performance when the battery degrades beyond a certain point. While the company itself has subsequently confirmed the findings, they didn’t offer much in the way of a detailed explanation other than to say:

“Our goal is to deliver the best experience for customers, which includes overall performance and prolonging the life of their devices. Lithium-ion batters become less capable of supplying peak current demands when in cold conditions, have a low battery charge or as they age over time, which can result in the device unexpectedly shutting down to protect its electronic components.

Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions. We’ve now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future.”

If you have an older iPhone, you may find yourself in disagreement that throttling its performance optimizes your user experience, and admittedly, it isn’t an optimal solution. On the other hand, having your phone power down unexpectedly when the battery life still reads 40 percent can be worse than annoying.

The only way around it is to replace your battery, which will not trigger the throttle built into the OS.