Tag: Technology

Select HP Laptop Models Recalled Over Battery Issue

Did you purchase an HP laptop between December of 2015 and December of 2017? If so, then you may have problems.

The US Consumer Product Safety Commission has been made aware of eight instances where HP battery packs overheated, charred, or melted, creating a worrisome fire hazard that has gotten the attention of user groups scattered all over the internet.

It also got the attention of HP itself, and the company recently announced “a worldwide voluntary safety recall and replacement program” for laptops shipped during the timeframe mentioned above.

If you own one of the following models, you may be impacted:

  • HP ProBook 640 G2
  • HP ProBook 645 G2
  • HP ProBook 650 G2
  • HP ProBook 655 G2
  • HP ProBook 640 G3
  • HP ProBook 645 G3
  • HP ProBook 650 G3
  • HP ProBook 655 G3
  • HP ZBook 17 G3
  • HP ZBook Studio G3
  • HP ZBook 17 G4
  • HP x360 310 G2
  • HP Pavillion x360
  • HP ENVY m6
  • Or the HP 11 Notebook PC

You can visit HP’s website and download a tool you can use to test your laptop to see if it has one of the defective battery packs. A BIOS update is also available that will safely and completely discharge the battery. Although of course, until you get a replacement, you’ll only be able to power your laptop via the AC power supply.

According to the company, “Many of these batteries are internal to the system, which means they are not customer replaceable. HP is providing battery replacement services by an authorized technician at no cost.”

While it’s a nice gesture, it would be even better if the company hadn’t shipped the defective batteries in the first place and caused a major inconvenience to its customers. This most recent recall comes on the heels of another one less than a year ago, in which the company recalled more than 100,000 similarly defective laptops at the end of January, 2017.

Better Parental Controls Underway For Apple Devices

Recently, a group of investors wrote an open letter to Apple, urging the company to do more in regards to offering better and more robust parental controls on the devices the company makes. Although the group of investors control some $2 billion in Apple stock, this is a drop in the proverbial bucket, given the company’s $900 billion market cap. Nonetheless, the letter seems to have gotten Apple’s attention.

In a statement published in the Wall Street Journal, the company said: “We think deeply about how our products are used and the impact they have on users and the people around them. We take this responsibility very seriously, and we are committed to meeting and exceeding our customers’ expectations, especially when it comes to protecting kids.”

Previously, the company has touted the suite of parental controls it’s had in place on the devices it makes since 2008. For example, every iPhone sold has a settings app with a parental controls section that allows adults to control in-app purchases, install and delete apps, and restrict website access.

Those are all good things, but the group of investors is pushing for more. Although the company has not released any details about their planned enhancements, it does appear that the letter has prompted them to think even more deeply about the matter, and in that same letter, also requested that apple aid research that studies what impacts excessive smartphone use has on mental health.

To their credit, Apple has done more with parental controls than many, if not most other tech companies, and it is very good to see that they’re listening and responding to the concerns of their investors. This kind of responsiveness bodes well, and depending on the particulars of their plan, it could well cause other companies in the industry to attempt to match their moves.

Hard Drives May Double In Speed With New Technology

What’s an HDD manufacturer to do when faced with competition by faster, more efficient SSD drives?

Go big, and go faster. At least that’s the strategy that both Seagate and Western Digital are adopting.

SSDs tend to get prohibitively expensive as their size crosses the 1TB threshold, which creates an opportunity for HDD manufacturers. Seagate is currently selling drives with an impressive 14TB of capacity, and has plans on the drawing board to introduce a 40TB drive by 2023, with Western Digital not far behind, aiming for a 40TB drive by 2025.

That’s impressive, but as Seagate mentioned in a recent blog post:

“Capacity is only half of the solution. If the ability to rapidly access data doesn’t keep pace with all that capacity, the value potential of data is inhibited. Therefore, the advancement of digital storage requires both elements: increased capacity and increased performance.”

In order to address the performance side of the equation, Seagate is experimenting with a new approach called “multi-actuator technology.”

HDDS are based on platters, with an actuator arm on the top and bottom that write to the platters.

Actuators are all aligned and are designed to move in tandem, but at any given moment, only one arm is writing to the disk.

Seagate’s new solution utilizes two sets of actuator arms, each controlled independent of the other. With two heads capable of reading and writing simultaneously, HDD speeds can effectively be doubled.

It’s an idea that has been around for a while, but until recently, thanks to the prohibitive cost of the components, it was simply impractical. With component prices falling, it’s suddenly viable. The combination of massive HDDs and the new technology are making people take a second look at HDD technology.

This is a great advance that breathes new life into HDDs, and is a truly exciting innovation.

New Wifi Standard WPA3 May Be Coming

Remember the KRACK WiFi (WPA2) vulnerability, discovered by Mathy Vanhoef? It turns out that his discovery was a catalyst for action. Recently, the WiFi Alliance, which is the industry’s standards organization, released details about its new WPA3 protocol.

Here’s a quick rundown of the changes you can expect to see in the months ahead:

  • Enhancements in encryption capabilities – The new protocol will enable encrypted connections between connected devices and the router/access point, and the cryptographic standard has been improved. According to the WiFi Alliance, it will be “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, which will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.”
  • The ability to configure one WiFi enabled device to configure other devices on the network – As an example, you’ll now be able to configure a network-connected smart device that doesn’t have a display screen from your smartphone or PC connected to the same network.
  • More protection – In addition to offering more robust encryption, the new standard will also offer enhanced protection against brute force attacks by halting the WiFi authentication process after some number of failed login attempts. This mirrors the functionality found on many web-based authentication systems.

All of these are welcome changes indeed, but despite relatively quick action on the part of the WiFi Alliance, it will still be several months before consumers are able to purchase devices that offer WPA3 support.

Mathy Vanhoef, the researcher who brought the KRACK attack to the world’s attention, had this to say about the recent announcement:

“The standards behind WPA3 already existed for a while, but now, devices are required to support them. Otherwise, they won’t receive the WPA3-Certified label. Linux’s open source Wi-Fi client and access point already support the improved handshake, it just isn’t used in practice. But hopefully, that will change now.”

This is good news indeed, and will help make wireless networks more secure. Kudos to Mathy Vanhoef for his discovery, and for spurring the industry into action.

Electronic Device Search Rules Better Defined By US Customs

There’s a constant tug of war playing out on the national stage. On one side, privacy advocates are pushing for greater autonomy for end users, and hard limits to the types of searches that law enforcement agencies are allowed to conduct.

On the other side are the government agencies themselves, which often cite national security concerns as the justification for more and easier access to the sensitive data contained on personal devices like laptops and smartphones.

Generally speaking, the privacy advocates lose those battles. This was the case recently, when the CBP (the US Customs and Border Protection agency) published their latest electronic search guidelines. The most significant change is that the new guidelines explicitly define the difference between basic and advanced searches.

CBP agents are authorized to choose any travel, with or without cause or suspicion, for basic searches. Under the clarified rules, a basic search is limited to an examination of data found on the device itself, which is accessible through already installed apps, or through the device’s OS.

Advanced searches may be conducted, but agents must demonstrate that there’s a reasonable suspicion of criminal activity, or that the person carrying the device represents a “national security concern.”

The individual singled out for an advanced search may be permitted to be present while the search is conducted, but are not permitted to view the actual search itself for fear of revealing law enforcement techniques. Of significance, even during the conduct of an advanced search, agents are not permitted to search cloud-based data. They are restricted to data stored on the device itself.

While none of this sounds especially heavy-handed, the biggest complaint privacy advocates have about the updated rules is the fact that border agents can, at their own discretion, still carry out warrantless searches without any judicial oversight whatsoever.

Although this may not impact you directly, it pays to be mindful of the recent changes.

Vulnerabilities Found In Some GPS Services

A duo of researchers stumbled across a series of vulnerabilities in literally hundreds of GPS services that leave sensitive GPS tracking data open to hackers. Dubbed “Trackmageddon” by the researchers, the vulnerabilities span a range of weaknesses that include default or easy-to-guess passwords, IDOR (Insecure Direct Object Reference) issues, insecure API endpoints, and data collection folders that are entirely unsecured.

The reason so many different tracking services are impacted is that most of them rely on the same online software to deliver their services, and that software (believed to be designed by ThinkRace, one of the largest vendors of GPS tracking devices) itself is flawed. As more and more companies license it, the issues spread, exposing the data of an increasing number of customers who are entirely in the dark about how vulnerable their location data is.

The researchers have made attempts to contact the vendors offering GPS tracking services with vulnerabilities, but so far, have met with only limited success. According to their report:

“We tried to give the vendors enough time to fix (also respond for that matter) while we weighed this against the current immediate risk of the users.

We understand that only a vendor fix can remove a user’s location history (and any other stored user data for that matter) from the still affected services, but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices, much higher than the risk of historic data being exposed.”

As to the types of data being exposed, it includes: GPS coordinates, phone numbers, IMEI numbers, device information, and depending on which online service is being used, a hacker could even gain access to audio, video, and photos uploaded by the device being used.

While extremely convenient, these services do carry significant risks. Use them at your own risk.

Backdoor In Certain Lenovo Switches Discovered

Does your company utilize either RackSwitch or BladeCenter networking switches? Are those switches running ENOS (the Enterprise Network Operating System)? If so, there’s a backdoor in your network you weren’t aware of. Even worse, it’s been there since 2004.

Engineers at Lenovo recently discovered the backdoor in the firmware when they conducted an internal security audit. These products were added to the company’s portfolio via acquisition from Nortel, and Lenovo only just became aware of their existence.

A spokesman for the company had this to say: “The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”

Updates are available on Lenovo’s website, and links to the updates are available inside the company’s security advisory on this topic.

It should be noted that this backdoor would be relatively difficult for a would-be hacker to exploit, because it’s not a hidden account whose password could be guessed at or cracked via brute force, but rather an authentication bypass mechanism that requires a strict set of conditions to trigger. Lenovo describes the various configurations of security settings that activate the backdoor in their security advisory.

In any case, the presence of a backdoor into your network (even one that’s hard to trigger and access) isn’t something to be taken lightly. If you’re able, grab the firmware updates from Lenovo at your next opportunity and seal the breach. If that is impractical for some reason, Lenovo has spelled out a few mitigation strategies your company can apply as a stop gap, until you can get the firmware updates in place.

Kudos to Lenovo from their swift, deft handling of the issue!

Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.

Inappropriate Ads Found In Some Game Apps for Kids

Normally, Google’s robust series of checks and audits are pretty good at catching malicious code and preventing it from making its way to the Play Store. Sometimes, however, something slips through anyway despite the company’s best efforts. This latest one is particularly bad.

Researchers from Check Point have identified a new strain of malware called “AdultSwine” lurking in more than sixty gaming apps on the Play Store. Each of these apps has been downloaded between 3 million and 7 million times, which gives us approximately 150 million infected devices.

As the name suggests, the malware primarily displays ads from the web that are of an adult nature, and often overtly pornographic. It also attempts to trick unsuspecting users into installing additional malware that masquerades as “security apps.”

An analysis of the code reveals it to be highly flexible, allowing the authors to easily begin collecting all kinds of information about the owner of any infected device. This makes identity theft a real possibility if the hackers were inclined to do so.

The most disturbing element of all this is that the malware seems heavily focused on apps and games designed for children. So if you’re a parent, it pays to check the apps that are installed on your child’s phone. What seems at first glance to be a harmless game could actually be displaying pornographic advertising while they’re playing.

The Check Point researchers had this to say about the discovery:

“Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept. Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.”

Just to be safe, double check the apps on your child’s phone!

Intel Chips Face Another Possible Vulnerability

Intel’s year isn’t getting off to a very good start. Just after the discovery of a pair of critical vulnerabilities that have been in their chipsets for more than a decade comes the discovery of yet another serious flaw that could impact millions of laptops around the world.

A Finnish data security firm called “F-Secure” just reported an issue with Intel’s Active Management Technology (AMT) that could allow a hacker to completely bypass the machine’s normal login procedure and take control of the target device in under a minute.

AMT is an admin-level feature that allows organizations to control and manage large numbers of PCs and workstations quickly and efficiently via remote. To take advantage of the flaw, a hacker would need physical access to the machine, which is its one saving grace. However, if they have that, they can take complete control even if a BIOS password has been set.

While other research teams have discovered AMT vulnerabilities in the past, this one deserves special attention for three reasons:

  • Once in control, the hacker could gain remote access to whatever network the machine is attached to at some later point.
  • It affects almost all intel laptops, and odds are that if you’re a business owner, there are a number of laptops with Intel chipsets connected to your network
  • It’s an incredibly easy flaw to exploit, requiring no code whatsoever.

F-Security Research Harry Sintonen had this to say about it:

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

It should be noted that this flaw is in no way related to the Spectre and Meltdown vulnerabilities that have been reported on earlier, giving Intel a trio of nasty problems to deal with right at the start of the new year.