Tag: Technology News

Almost Half Of Top Ranking Websites Are Vulnerable

Menlo Security just released their third annual “State of the Web” report and it’s not pretty.  The headline finding is that 42% of the top 100,000 sites as ranked by Alexa are more dangerous than you think.

The report defines a risky site as one that meets one of three criteria:

  • The site, or one of its associated background sites (from which news articles or video is pulled), is running software with a known security vulnerability
  • The site has been used to launch attacks or distribute malware
  • The site has suffered a security breach in the past twelve months

This first point is key, and often overlooked by security professionals.  Any time your website is pulling content from another source, it creates an opening that a hacker could potentially exploit.  Worse, most security professionals lack the tools to properly monitor those connections.

As bad as that sounds, there’s an even worse detail lurking in the pages of the report, and that concerns emails.

Hackers are increasingly moving away from setting up their own domains.  Instead, they’re preferring to create a subdomain of a compromised, legitimate domain, which makes it harder to spot.  Amir Ben-Efraim, the CEO of Menlo Security, had this to say about the issue:

“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms.  Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites.

Also, hosting services typically allow customers to set up multiple subdomains.  For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”

The bottom line is:  The web and even the most popular sites on it, aren’t nearly as safe as you think.

Vulnerability Found In Popular Grammar Checker

On February 2, Tavis Ormandy, a researcher on Google’s Project Zero team discovered a critical flaw in the popular online grammar checking app, “Grammarly.”  Tens of millions of users make regular use of the app to improve the quality of their writing.  The bug allowed a hacker to steal a Grammarly user’s authentication token and use that token to log on and access every document they’ve run through the Grammarly system. This along with that user’s history, logs and other data. They were able to do it all using just four lines of JavaScript code.

The bug was found in both the Firefox and Chrome Grammarly extensions and was reported immediately.

While response time to such a report varies greatly, Grammarly set a new record for speed and efficiency.  The bug was reported on a Friday, and by Monday, it was patched.  If you use either the Chrome or the Firefox Grammarly extension, there’s nothing for you to do, as these should update automatically.

A spokesman for Grammarly had this to say about the matter:

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery.  At this time, Grammarly has no evidence that any user information was compromised by this issue.

We’re continuing to monitor actively for any unusual activity.  The security issue potentially affected text saved in the Grammarly Editor.  This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.  The bug is fixed, and there is no action required by Grammarly users.”

Kudos to Tavis Ormandy for finding the bug, and a hearty round of applause to Grammarly for their speedy and deft handling of the issue.  Given the severity of the bug, it’s easy to see how such a discovery could have gone an entirely different direction. As it turns out, Grammarly set a new bar for excellence with their handling of the issue.

Some Smartwatches May Be Able To Diagnose Diabetes

That smartwatch you’re wearing might save your life.  Literally.

A new study conducted by the University of California San Francisco, and a healthcare startup called Cardiogram revealed that smartwatches and other wearables were able to detect diabetes in previously diagnosed patients an impressive 85 percent of the time.

The study monitored health statistics of more than 14,000 smartwatch wearers (both Android and Apple) over the course of several months.  All health data that was collected was fed into a deep neural network which compared the collected data to samples taken from people both with, and without diabetes.

Obviously, while 85 percent is good, it falls short of greatness.  Then again, the AI routine (dubbed “DeepHeart”) is still in its infancy and is all but certain to continue improving over time.

That’s important, given how many people in America have diabetes.  It is estimated that there are more than 100 million Americans who either have the disease or who are prediabetic, and many of these haven’t been diagnosed yet.

Given these results, and in a bid to further improve DeepHeart’s accuracy, the company plans to incorporate the AI into the next update of its app on both iOS and Android platforms.

All that to say, if you currently have and wear a smartwatch or other wearable, it may help you in ways you can’t even begin to imagine.  This is the bleeding edge of a segment of the market that is only just beginning to emerge.  At this point, it’s so new that it would be difficult even to say it’s in its infancy.  Although we can’t know for certain what new revelations and advances wearable technology will bring to the medical field, based on what we’ve seen so far, we can say there will be a bunch of them, and they’ll all be exciting.

If you’ve been considering getting one but haven’t yet, this is a pretty solid reason to do so.

Smart TV’s May Be Tracking You And Vulnerable To Hacks

Do you own a smart TV?  More than half of all television sales in the US last year were smart TVs, so chances are decent that you own one.  If you do, be aware that it may be collecting far more data about you than you think.

Recall that last year, Samsung, (one of the top smart TV manufacturers) found itself in hot water when it was revealed that the TV could listen in on conversations, record them (for better voice recognition) and save them on a Samsung server.

Those issues still persist to varying degrees, but a recent Consumer Reports study underscores something most people in the tech business have known all along.  Smart devices really aren’t all that smart, at least when it comes to security.

The Consumer Reports study concluded that most smart TVs and associated technologies like the Roku have only the most rudimentary of security features and can easily be hacked, giving the hackers total control of your TV. This includes the ability to turn it off, on, change the channel, and monitor your viewing habits.  Given that, these TVs can also be voice-controlled. Once a hacker is in control of your set, he could monitor any conversations that take place near it without your knowledge.

In addition, the most recent smart TVs come with a feature called Content Recognition.  For example, if you watch the latest episode of the Walking Dead (whether on AMC or Amazon Prime or some other streaming service), the next time you pull up a web page on your PC or smart phone, you’ll start seeing advertising related to the Walking Dead.

This, of course, gives any would-be hacker a much deeper view into your viewing habits and history.

The upside is that most of these features can be deactivated if you have the patience to sift through the television’s menu system. Of course, if you do that, then it’s no longer a smart TV, and thus, not worth the extra money you spent on it.

As ever, the bottom line is this:  These kinds of risks aren’t going to go away on their own.  Until and unless smart device makers start taking security more seriously, we’re going to keep hearing about potential or actual abuses.

Microsoft Office Update Available To Only Windows 10 Users

There are big changes coming to MS Office which you need to be aware of, given how widely used “Office” is in most companies.

First, the headline change:  When MS Office 2019 is released, it will only run on Windows 10.  If you’ve still got machines on older operating systems, and you want to keep your productivity suite up to date, then you’ll need to upgrade those older systems.

Also, be aware that when Office 2019 ships, it will only have “Click-to-Run” technology.  No MSI, although Office Server will have an MSI deployment option.

In terms of software support, the company had this to say:

“Office 2019 will provide five years of mainstream support and approximately two years of extended support.  This is an exception to our ‘Fixed Lifecycle Policy’ to align with the support period for Office 2016.  Extended support will end 10/14/2025.”

The Office 2019 bundle will include the following apps:

  • Word
  • Excel
  • PowerPoint
  • Outlook
  • Skype for Business

Additionally, server versions of SharePoint and Exchange will be available.

In conjunction with the announcement above, the company also announced service extensions for Windows 10, and changes to the system requirements for people who use Office 365 ProPlus, the company’s online office suite.

Beginning on January 14, 2020, Office 365 ProPlus will no longer be supported on Windows 7, Windows 8.1, Windows Server 2016, or any Windows 10 LTSC (Long Term Servicing Channel) release.  Windows 10 support (versions 1511, 1607, 1703, and 1709) will get an additional six months of support for both enterprise and education customers.

Although these changes will no doubt inconvenience some users, overall, they have to be judged as a positive.  Microsoft has been taking a number of meaningful steps in recent years to streamline and simplify their product support, and these latest changes are very much in keeping with that.

2018 Olympics Hit By Malware

Hackers are picky about their victims.  They’ll target just about any group or organization, including the 2018 Olympics.

Cisco’s Talos Group recently identified a new strain of malware they’ve dubbed “Olympic Destroyer” which is wreaking havoc in Pyeong Chang’s computer networks and causing downtime to internal WiFi and television systems. This has impacted the games’ opening ceremonies, and stands an excellent chance of further disrupting the rest of the festivities.

Because the threat was only recently discovered, the Talos team’s initial assessment and report was spotty and short on details, but the group recently amended their initial findings.  The results aren’t pretty, and the malware is seen as being both more dangerous and more advanced than originally thought.

The big three findings in the team’s amended report are as follows:

  • It’s Polymorphic – As the malware spreads, it collects new credentials from each machine it infects, adding these to its binary on the fly. Members of the Talos team had this to say about the behavior: “I have not seen a malware sample modify itself to include harvested creds before and I’ve been doing this stuff longer than I should admit.  Polymorphic malware isn’t a new idea by itself, but I’ve never seen any examples of malware modifying itself to include harvested credentials.”
  • It Spreads Via The EternalRomance Exploit – This bit of information comes to us from the Windows Defender team. The mechanism by which Olympic Destroyer spreads is industrial grade, utilizing an exploit from the NSA leaked by the Shadow Brokers last year.
  • Finally, It Wipes Data – This is perhaps the most significant of the three updates to the Talos report. The malware has a data wiping mechanism built into it that it utilizes at every opportunity in an attempt to delete files on network shares.  Since it only seems to target shared files, it’s not deleting items key to OS functionality. Even so, these shared files are important, and this is what’s causing operational disruptions.

More details will no doubt become available as the various teams researching Olympic Destroyer get a better understanding of what they’re looking at.  The bottom line is, it’s a pretty advanced threat and will likely inspire copycats in the months ahead.

Changes To Google Images Will Make Image Theft Difficult

Image theft is one of the biggest problems on the internet.  If you’re a photographer, you’ve almost certainly lost money because people find your work online and make a copy of it rather than paying for the right to use it.

Unfortunately, Google has made that incredibly easy to do, but that’s changing.  Until recently, if you did a Google image search, you’d get a list of images that matched your search phrase, and one of the buttons displayed was a “View Image” button that would take you to the image file itself, as opposed to viewing the image in the context of whatever web page it was displayed on.

This, of course, made stealing the image a trivial task.  Content providers have been complaining loudly, and Google listened.  Effective February 15, the “View Image” button is no longer listed.  Of course, it’s still possible to steal the image in question, but users will have to jump through at least a couple more hoops to do so.

A second, smaller and somewhat less impactful change is the fact that Google has also removed the “Search By Image” button that formerly appeared when you navigated straight to an image file.  Savvy users will still be able to drag the image itself to the search bar and accomplish the same thing, but relatively few people are aware of this, which will cut down on its use significantly.  The thinking here is that netizins were making use of this feature to find copies of images that didn’t have a watermark visible.

While these two changes give photographers reason to cheer, it definitely negatively impacts the user experience, as there are a number of perfectly legitimate uses for copyrighted image material.  The bottom line is that if you’re accustomed to the old way of searching for and acquiring images, you’ll have a bit of an adjustment period ahead.

Google Will Get Tougher On Websites Not Using HTTPS

Google is poised to make an important change to its Chrome browser beginning in July 2018.

Here’s the summary from Emily Schechter, the Google Chrome Security Product Manager:

“For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption, and within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as ‘not secure.’  Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure.'”

All the major browsers already have plug-ins that alert users anytime they’re visiting a non-secure (HTTP) website, but Google’s planned move will likely prompt them to incorporate the notification into their core product as well.

According to Google’s statistics, 81 of the top 100 sites (as ranked by traffic volume) already use HTTPS.  In addition to that, Google reports that 68 percent of Chrome users are finding HTTPS when using Android and Windows, and 78 percent of the time when using Mac OS X, iOS, and Chrome OS.  Those figures are markedly higher than they were in 2010, when an estimated 40 percent of websites were using the secure socket layer.

If your company’s website hasn’t already made the switch, the time to do so is now.  The writing is clearly on the wall, and it’s not hard to imagine that after Google begins “shaming” non-secure sites with the notification, they’ll also start implementing penalties that will hurt their position on search results pages.  Even if they don’t, the persistent non-secure warnings will be enough to keep many users away, so it doesn’t matter how well optimized or SEO-friendly your site is, an increasing percentage of users may simply opt out if it’s not secure.

New Bug Discovered in iOS That Can Disable iPhone Apps

Last year, Apple had to fix a “special character” bug in their Message app that was more of an annoyance than anything.  This year, a new special character bug has been found, but this one is much more serious and could allow an attacker to crash your phone and block access to a variety of messaging apps.

The bug is specific to iOS 11, so if you’ve got an older version, you don’t have anything to worry about.  The company has already announced that it will be fixed in the upcoming release of iOS 11.3.

Unless you’re in the habit of getting messages in Telugu (Indian language), you’re not likely to see it, because the bug relies on one of the special characters utilized in that language pack.  Once you receive a message containing the special character, your phone will crash.  Even after you restore it, you’ll find that you’re not able to access iMessage, WhatsApp, Facebook Messenger, Gmail, or Outlook for iOS. Although if you use either Telegram or Skype, these appear to be unaffected.

Unfortunately, you don’t have a lot of control over who sends text messages to you, so until the patch is released this spring, there’s not much you can do except to be mindful that it could happen.

If you’re a long time user of Apple products, then you know that this is hardly the first time that strange things have caused the OS to crash.  Just last month, it was discovered that a properly formatted URL could cause a system crash.  In 2015, researchers discovered that a properly formatted text string could cause iMessage to crash. Just last year, a five-second video caused iPhones around the world to crash.  All that to say, keep an eye out for strange text messages, and definitely upgrade to iOS 11.3 as soon as you get the opportunity to do so.

IRS Labeled Email Could Contain Ransomware

There’s a new strain of the “Rapid Ransomware” making the rounds, and because of how it’s being transmitted, it’s destined to have a higher than average rate of infection.  The new strain was first discovered by Derek Knight. It is disturbing because it claims to come from the IRS, and will feature subject lines like “IRS Urgent Message-164.”

The body of the email then goes on to say that the recipient owes some amount of money in real estate taxes, and “helpfully” includes instructions for how to settle in the attached file.  Inside the zipped file, the user will find a word document.  You’ll need to click on “Enable Editing” to see the file, and unfortunately, the moment you do, you’re doomed.  “Rapid” will scan the target computer for data files and encrypt them, appending each with the “.rapid” extension.

As soon as the malware finishes encrypting your files, it will automatically open “Recovery.txt” which will display details on how much you’ll have to pay the hackers to get your files back.  Unlike most other ransomware strains, this one will configure itself to start every time you login to the computer, so if you pay the ransom to get access to your files again, but fail to completely remove the malware, you’ll be facing the same problem the very next time you use the machine.

Observant users will take note of the fact that the email address is not a .gov and likely not be taken in. Unfortunately, many people will look no further than the subject line and immediately begin following the instructions contained in the email, which is obviously the reaction that the hackers are hoping for.

As ever, protecting yourself from threats like these comes down to two things:  Education and vigilance.