Tag: Technology Tips

Malware Makers Testing Vulnerability Of Meltdown And Spectre

Security researchers from around the web are reporting finding an increasing number of instances of proof of concept (PoC) code that incorporates the recently discovered Spectre and Meltdown vulnerabilities.

If you somehow missed those earlier reports, Spectre and Meltdown are a pair of critical security flaws recently discovered in literally every Intel chip set made over the last decade.  Exploiting these vulnerabilities would give a hacker root-level access to the impacted system.

Since the discovery, the chip giant has been scrambling to fix the issue. However, their first attempt to do so caused so many system problems for people who installed the patch that the company is now recommending that users avoid it until they can come up with a better solution.

Unfortunately, that leaves you between the proverbial rock and a hard place.  Installing the patch will protect you, but cause you to experience system reboots several times a day and seriously degraded performance.  Not installing it leaves you at the mercy of the hackers.

So far, at least, it appears that most of the proof of concept code found is the result of security researchers playing with the exploits.  This includes testing them, seeing how they work, and how to prevent them.  That said, the researchers point out that it’s all but certain that some of the PoC examples were created by teams of hackers who plan to use them in their next round of attacks.

To make matters worse, Mozilla has confirmed that the Spectre flaw can be executed remotely by inserting commands into Javascript.  Given that, plus the increased appearance of PoC code fragments, it seems it’s just a matter of time before we see the first ever Spectre-based hack.  The clock is ticking.

Microsoft is Adding Much Needed Feature To Windows Defender

Microsoft is getting tough on so-called “registry cleaners”, and it’s about time.  The company recently announced a planned change to Windows Defender (the anti-malware program that comes standard with every Windows installation).  The change will see to the deletion of an increasing number of these registry cleaners.  It’s a great move, and the company deserves credit for it, but there’s a catch.  This type of software has been around for decades. So the move, as welcome as it is, comes very late in the game.

It’s overwhelmingly likely that you’ve seen these programs in action.  They’re usually free downloads (though there are a few web based services too) that scan your system to find problems with your registry that the software claims are causing performance issues and slowing your machine down.

There are two major problems with this:  First, the software tends to be light on details, refusing to provide much information about exactly why the “problems” that have been identified are impacting system performance.  Worse, the software often incorrectly identifies critical system files and registry entries as being problematic. So of course, when they are deleted, they actually create many more problems than they solve.

Second, in order to actually fix the problems that have been identified, you’ve got to buy the premium version of the package.  The result is that you’re losing money, and the software often breaks your system.  Not a pretty picture.

This latest move by Microsoft builds on action they took back in 2016, when the company started penalizing the makers of such registry cleaners if their software didn’t provide adequate information. This missing information included why the problems they found needed to be fixed in the first place, and if they utilized a high pressure up-sell technique.

Ultimately, those moves proved to be insufficient, so Microsoft decided to take things to the next level.  Now, they’re simply going to start deleting these no- or low-value programs.  Late or not, that’s one less headache for you, and a very good thing.

Almost Half Of Top Ranking Websites Are Vulnerable

Menlo Security just released their third annual “State of the Web” report and it’s not pretty.  The headline finding is that 42% of the top 100,000 sites as ranked by Alexa are more dangerous than you think.

The report defines a risky site as one that meets one of three criteria:

  • The site, or one of its associated background sites (from which news articles or video is pulled), is running software with a known security vulnerability
  • The site has been used to launch attacks or distribute malware
  • The site has suffered a security breach in the past twelve months

This first point is key, and often overlooked by security professionals.  Any time your website is pulling content from another source, it creates an opening that a hacker could potentially exploit.  Worse, most security professionals lack the tools to properly monitor those connections.

As bad as that sounds, there’s an even worse detail lurking in the pages of the report, and that concerns emails.

Hackers are increasingly moving away from setting up their own domains.  Instead, they’re preferring to create a subdomain of a compromised, legitimate domain, which makes it harder to spot.  Amir Ben-Efraim, the CEO of Menlo Security, had this to say about the issue:

“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms.  Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites.

Also, hosting services typically allow customers to set up multiple subdomains.  For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”

The bottom line is:  The web and even the most popular sites on it, aren’t nearly as safe as you think.

Vulnerability Found In Popular Grammar Checker

On February 2, Tavis Ormandy, a researcher on Google’s Project Zero team discovered a critical flaw in the popular online grammar checking app, “Grammarly.”  Tens of millions of users make regular use of the app to improve the quality of their writing.  The bug allowed a hacker to steal a Grammarly user’s authentication token and use that token to log on and access every document they’ve run through the Grammarly system. This along with that user’s history, logs and other data. They were able to do it all using just four lines of JavaScript code.

The bug was found in both the Firefox and Chrome Grammarly extensions and was reported immediately.

While response time to such a report varies greatly, Grammarly set a new record for speed and efficiency.  The bug was reported on a Friday, and by Monday, it was patched.  If you use either the Chrome or the Firefox Grammarly extension, there’s nothing for you to do, as these should update automatically.

A spokesman for Grammarly had this to say about the matter:

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery.  At this time, Grammarly has no evidence that any user information was compromised by this issue.

We’re continuing to monitor actively for any unusual activity.  The security issue potentially affected text saved in the Grammarly Editor.  This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.  The bug is fixed, and there is no action required by Grammarly users.”

Kudos to Tavis Ormandy for finding the bug, and a hearty round of applause to Grammarly for their speedy and deft handling of the issue.  Given the severity of the bug, it’s easy to see how such a discovery could have gone an entirely different direction. As it turns out, Grammarly set a new bar for excellence with their handling of the issue.

Some Smartwatches May Be Able To Diagnose Diabetes

That smartwatch you’re wearing might save your life.  Literally.

A new study conducted by the University of California San Francisco, and a healthcare startup called Cardiogram revealed that smartwatches and other wearables were able to detect diabetes in previously diagnosed patients an impressive 85 percent of the time.

The study monitored health statistics of more than 14,000 smartwatch wearers (both Android and Apple) over the course of several months.  All health data that was collected was fed into a deep neural network which compared the collected data to samples taken from people both with, and without diabetes.

Obviously, while 85 percent is good, it falls short of greatness.  Then again, the AI routine (dubbed “DeepHeart”) is still in its infancy and is all but certain to continue improving over time.

That’s important, given how many people in America have diabetes.  It is estimated that there are more than 100 million Americans who either have the disease or who are prediabetic, and many of these haven’t been diagnosed yet.

Given these results, and in a bid to further improve DeepHeart’s accuracy, the company plans to incorporate the AI into the next update of its app on both iOS and Android platforms.

All that to say, if you currently have and wear a smartwatch or other wearable, it may help you in ways you can’t even begin to imagine.  This is the bleeding edge of a segment of the market that is only just beginning to emerge.  At this point, it’s so new that it would be difficult even to say it’s in its infancy.  Although we can’t know for certain what new revelations and advances wearable technology will bring to the medical field, based on what we’ve seen so far, we can say there will be a bunch of them, and they’ll all be exciting.

If you’ve been considering getting one but haven’t yet, this is a pretty solid reason to do so.

Smart TV’s May Be Tracking You And Vulnerable To Hacks

Do you own a smart TV?  More than half of all television sales in the US last year were smart TVs, so chances are decent that you own one.  If you do, be aware that it may be collecting far more data about you than you think.

Recall that last year, Samsung, (one of the top smart TV manufacturers) found itself in hot water when it was revealed that the TV could listen in on conversations, record them (for better voice recognition) and save them on a Samsung server.

Those issues still persist to varying degrees, but a recent Consumer Reports study underscores something most people in the tech business have known all along.  Smart devices really aren’t all that smart, at least when it comes to security.

The Consumer Reports study concluded that most smart TVs and associated technologies like the Roku have only the most rudimentary of security features and can easily be hacked, giving the hackers total control of your TV. This includes the ability to turn it off, on, change the channel, and monitor your viewing habits.  Given that, these TVs can also be voice-controlled. Once a hacker is in control of your set, he could monitor any conversations that take place near it without your knowledge.

In addition, the most recent smart TVs come with a feature called Content Recognition.  For example, if you watch the latest episode of the Walking Dead (whether on AMC or Amazon Prime or some other streaming service), the next time you pull up a web page on your PC or smart phone, you’ll start seeing advertising related to the Walking Dead.

This, of course, gives any would-be hacker a much deeper view into your viewing habits and history.

The upside is that most of these features can be deactivated if you have the patience to sift through the television’s menu system. Of course, if you do that, then it’s no longer a smart TV, and thus, not worth the extra money you spent on it.

As ever, the bottom line is this:  These kinds of risks aren’t going to go away on their own.  Until and unless smart device makers start taking security more seriously, we’re going to keep hearing about potential or actual abuses.

Microsoft Office Update Available To Only Windows 10 Users

There are big changes coming to MS Office which you need to be aware of, given how widely used “Office” is in most companies.

First, the headline change:  When MS Office 2019 is released, it will only run on Windows 10.  If you’ve still got machines on older operating systems, and you want to keep your productivity suite up to date, then you’ll need to upgrade those older systems.

Also, be aware that when Office 2019 ships, it will only have “Click-to-Run” technology.  No MSI, although Office Server will have an MSI deployment option.

In terms of software support, the company had this to say:

“Office 2019 will provide five years of mainstream support and approximately two years of extended support.  This is an exception to our ‘Fixed Lifecycle Policy’ to align with the support period for Office 2016.  Extended support will end 10/14/2025.”

The Office 2019 bundle will include the following apps:

  • Word
  • Excel
  • PowerPoint
  • Outlook
  • Skype for Business

Additionally, server versions of SharePoint and Exchange will be available.

In conjunction with the announcement above, the company also announced service extensions for Windows 10, and changes to the system requirements for people who use Office 365 ProPlus, the company’s online office suite.

Beginning on January 14, 2020, Office 365 ProPlus will no longer be supported on Windows 7, Windows 8.1, Windows Server 2016, or any Windows 10 LTSC (Long Term Servicing Channel) release.  Windows 10 support (versions 1511, 1607, 1703, and 1709) will get an additional six months of support for both enterprise and education customers.

Although these changes will no doubt inconvenience some users, overall, they have to be judged as a positive.  Microsoft has been taking a number of meaningful steps in recent years to streamline and simplify their product support, and these latest changes are very much in keeping with that.

Google Will Get Tougher On Websites Not Using HTTPS

Google is poised to make an important change to its Chrome browser beginning in July 2018.

Here’s the summary from Emily Schechter, the Google Chrome Security Product Manager:

“For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption, and within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as ‘not secure.’  Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure.'”

All the major browsers already have plug-ins that alert users anytime they’re visiting a non-secure (HTTP) website, but Google’s planned move will likely prompt them to incorporate the notification into their core product as well.

According to Google’s statistics, 81 of the top 100 sites (as ranked by traffic volume) already use HTTPS.  In addition to that, Google reports that 68 percent of Chrome users are finding HTTPS when using Android and Windows, and 78 percent of the time when using Mac OS X, iOS, and Chrome OS.  Those figures are markedly higher than they were in 2010, when an estimated 40 percent of websites were using the secure socket layer.

If your company’s website hasn’t already made the switch, the time to do so is now.  The writing is clearly on the wall, and it’s not hard to imagine that after Google begins “shaming” non-secure sites with the notification, they’ll also start implementing penalties that will hurt their position on search results pages.  Even if they don’t, the persistent non-secure warnings will be enough to keep many users away, so it doesn’t matter how well optimized or SEO-friendly your site is, an increasing percentage of users may simply opt out if it’s not secure.

New Bug Discovered in iOS That Can Disable iPhone Apps

Last year, Apple had to fix a “special character” bug in their Message app that was more of an annoyance than anything.  This year, a new special character bug has been found, but this one is much more serious and could allow an attacker to crash your phone and block access to a variety of messaging apps.

The bug is specific to iOS 11, so if you’ve got an older version, you don’t have anything to worry about.  The company has already announced that it will be fixed in the upcoming release of iOS 11.3.

Unless you’re in the habit of getting messages in Telugu (Indian language), you’re not likely to see it, because the bug relies on one of the special characters utilized in that language pack.  Once you receive a message containing the special character, your phone will crash.  Even after you restore it, you’ll find that you’re not able to access iMessage, WhatsApp, Facebook Messenger, Gmail, or Outlook for iOS. Although if you use either Telegram or Skype, these appear to be unaffected.

Unfortunately, you don’t have a lot of control over who sends text messages to you, so until the patch is released this spring, there’s not much you can do except to be mindful that it could happen.

If you’re a long time user of Apple products, then you know that this is hardly the first time that strange things have caused the OS to crash.  Just last month, it was discovered that a properly formatted URL could cause a system crash.  In 2015, researchers discovered that a properly formatted text string could cause iMessage to crash. Just last year, a five-second video caused iPhones around the world to crash.  All that to say, keep an eye out for strange text messages, and definitely upgrade to iOS 11.3 as soon as you get the opportunity to do so.

IRS Labeled Email Could Contain Ransomware

There’s a new strain of the “Rapid Ransomware” making the rounds, and because of how it’s being transmitted, it’s destined to have a higher than average rate of infection.  The new strain was first discovered by Derek Knight. It is disturbing because it claims to come from the IRS, and will feature subject lines like “IRS Urgent Message-164.”

The body of the email then goes on to say that the recipient owes some amount of money in real estate taxes, and “helpfully” includes instructions for how to settle in the attached file.  Inside the zipped file, the user will find a word document.  You’ll need to click on “Enable Editing” to see the file, and unfortunately, the moment you do, you’re doomed.  “Rapid” will scan the target computer for data files and encrypt them, appending each with the “.rapid” extension.

As soon as the malware finishes encrypting your files, it will automatically open “Recovery.txt” which will display details on how much you’ll have to pay the hackers to get your files back.  Unlike most other ransomware strains, this one will configure itself to start every time you login to the computer, so if you pay the ransom to get access to your files again, but fail to completely remove the malware, you’ll be facing the same problem the very next time you use the machine.

Observant users will take note of the fact that the email address is not a .gov and likely not be taken in. Unfortunately, many people will look no further than the subject line and immediately begin following the instructions contained in the email, which is obviously the reaction that the hackers are hoping for.

As ever, protecting yourself from threats like these comes down to two things:  Education and vigilance.