A post on Jeff Atwood’s Coding Horror blog describes the process Jeff uses to test the stability of new computers. It’s an intensive set of tests, and if your hardware is in the least bit flaky, this process will probably break it.
Category Archives: Hardware
Moore’s Law has run its course
Ars Technica has an interesting look at how Moore’s Law is losing its relevance and will no longer be the focus of industry plans for the future of microprocessors.
Moore’s Law originated with a 1965 prediction of Intel co-founder Gordon Moore, which gradually came to mean that the number of transistors per microchip would double every twelve months. This prediction held true for decades but has been strained in recent years.
Security and privacy roundup for January 2016
Your devices are talking about you
You already know that your web browser is tracking your activity. You are probably also aware of ‘The Internet of Things‘ – the increasing prevalence of devices that are connected to the Internet – and you recognize that any such device can also track your activities. Bruce Schneier reveals the next step in this evolution: enabling devices to share information about you. Of course, since the goal of all this surveillance is merely better-targeted advertising, most people are unlikely to care. Still, if privacy and control are important to you, this will not be welcome news.
Brian Krebs reminded us that ransomware can affect files in your cloud storage space as well as on your physical computer and network-connected devices.
A summary of software vulnerabilities over at VentureBeat shows Mac OS X topping the list for 2015. Microsoft’s security efforts seem to be paying off, as the highest-ranked version of Windows on the 2015 list is Windows 8.1 at number 10, and fewer than half the vulnerabilities as OS X.
Serious vulnerabilities were discovered in OpenSSH (a very commonly-used secure terminal client), OpenSSL (the ubiquitous security library), and Trend Micro antivirus software.
Vulnerabilities in the Linux kernel (affecting Android phones and Linux PCs) remain unpatched on many affected devices.
Google produced more patches for vulnerabilities affecting Android devices, but as always, the patches are finding their way to devices very slowly.
The very weak hashing functions MD5 and SHA1 are still being used in HTTPS encryption in some contexts.
It’s official: your smart TV can become infected with malware.
Network devices made by Juniper and Fortinet were found to contain serious vulnerabilities, including an NSA-developed back-door function and a hard-coded back-door password (more).
The free-to-use deep search tool Shodan made the news when researchers showed that it can be used to find household cameras, including baby-cams. Note that the problem here is not Shodan, which is just a useful search tool. The problem is the failure to properly secure Internet-connected devices.
There were more serious corporate security breaches in January, at Time Warner and Linode. As usual in these cases, the login credentials of subscribers were obtained by the attackers.
Amazon’s security practices were (unwillingly) tested by a customer, and found seriously deficient.
More malicious apps were found in the Google Play store. Google removed those apps, but not until they were downloaded millions of times by unsuspecting Android device users.
LG fixed a critical security hole affecting as many as ten million of its mobile devices.
Security and privacy roundup for November 2015
PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.
A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?
Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.
The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.
With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.
A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.
Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.
Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.
Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.
A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.
An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.
Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).
On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.
The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.
Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.
The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.
Only Windows 10 on new PCs after October 2016
Microsoft has confirmed that OEMs will no longer be allowed to sell new computers with Windows 7 or 8.x after October 31, 2016. If you buy a new PC after that date, you won’t have any options besides Windows 10.
Support for Windows 7 – including security updates – will continue to 2020, so it’s still a perfectly viable operating system. But it’s unclear whether you will still be able to purchase Windows 7 OEM separately, from Microsoft or any other seller, after October 31, 2016. I certainly hope so, although it seems unlikely. So if you’re planning to build any new Windows 7 computers between October 2016 and 2020, you should stock up on Windows 7 OEM licenses now.
Security & privacy roundup for September 2015
Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.
Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.
A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.
In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.
This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.
A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.
A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.
A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.
Security roundup for August 2015
Last month in security and privacy news…
A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.
Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.
It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.
Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?
Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.
Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.
In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.
And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.
Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.
Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.
And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.
Is Chrome spying on you? Nope.
This past week there was a lot of noise on the web about Google sneakily installing an extension into Chrome that spies on you via your computer’s microphone.
There are several aspects to this story. First, Google did indeed automatically update installs of both Chrome (its closed-source web browser) and its open-source cousin Chromium, with an extension called Hotword. Note that both browsers are designed to update themselves automatically, so this isn’t anything new. But it seemed a bit sneaky in that Hotword is an extension, and as such, a) should probably only be installed after getting confirmation from the user; and b) should show up in the browser’s list of installed extensions.
Google explained this by pointing out that some Chrome/Chromium extensions are ‘component’ extensions, and these are handled more as core components of the browser than as extra add-ons. And Hotword was designated as a ‘component’ extension.
Second, people using the open source Chromium were particularly dismayed that the browser was updating itself with code that was itself not available for review (i.e. not open source). This concern was understandable, and Google’s response was to stop installing Hotword automatically on Chromium.
Third, there was some evidence of a bug in Hotword that could allow third parties (i.e. not the user, and not Google) to use Hotword to listen to users. A demonstration of this seems to bear out this claim, but at this point it’s not clear whether there is any basis for a serious privacy concern. I’ll post more about this as things progress.
It’s important to note that the Hotword extension is not enabled by default. Even if you’re using Chrome, and Hotword is installed automatically, it won’t do anything until it’s enabled. More about that below.
Background
As you may be aware, there’s a big push on to get voice control into the mainstream. For years, we’ve seen people in SF movies talking to their computers and thought it was pretty neat. The technology for actually doing this is finally here, and it’s being added to everything, starting with our mobile devices: iPhones have Siri, Windows phones have Cortana, and so on. Microsoft is pushing Cortana into Windows on PCs now as well, in Windows 10.
Google has been experimenting with voice recognition for its search site and in Chrome for some time now. The Hotword extension is just Google’s latest improvement. Once installed in Chrome/Chromium, the browser provides various indications about its status. Visiting the main Google search page, or just opening a new tab (which shows the Google search interface by default) will now show ‘Say “Ok Google”‘ at the far right of the search prompt. There’s also a microphone icon, which has actually been there for a while.
As long as Hotword is disabled, saying ‘Ok Google’ displays a dialog that says ‘Voice search has been turned off’. You’ll also notice a camera icon – with a red line through it – in the address bar. To enable Hotword, click the camera icon and select ‘Always allow google.* to access your microphone’. Now, when you’re on the Google search page and say ‘Ok Google’, the browser will start listening for your commands. If you don’t want to enable Hotword, but want to use voice commands, just click the microphone icon.
Note: if you switch away from the Google search tab, Hotword stops listening.
Legitimate concerns?
Here’s where some of the privacy concerns may perhaps be legitimate. Even if Hotword is disabled, Chrome is clearly still listening to you, even if it: a) ignores everything you say except ‘Ok Google’, and b) will only tell you that voice activation is disabled when you say ‘Ok Google’. It’s extremely unlikely that Google has any malicious intent here. They are simply trying to make voice control seamless.
For example, I have Cortana on my Windows phone (please keep your snickering to a minimum) and although I don’t use it much, it’s particularly handy for choosing music to play. I love being able to ask Cortana to play a particular song or artist when I’m in the car. There’s just one problem: to get Cortana to listen, I have to press a button on the phone. Microsoft is working on a ‘Hello Cortana’ feature that will allow users to get Cortana’s attention without needing to pick up the phone. Certainly this feature isn’t for people who worry about their privacy, but for the rest of us, it’s just going to be very handy.
General paranoia about Google
There’s a general feeling of distrust towards Google, and it seems to be growing. Google’s spectacular success, and their financial power, make it easy to think of them as just another huge corporation trying to run our lives. Google has certainly made their share of mistakes, and some of that distrust is perhaps warranted. But I think people get carried away with this. Sure, Google wants to make money from us, mostly in the form of advertising. But aside from that, I truly believe that they are just trying to provide excellent products and services. And I think they’re doing a remarkable job.
Security roundup – May 2015
Recent security breaches at mSpy and AdultFriendFinder are a gift for Internet extortionists. mSpy hasn’t helped matters by first denying the problem, and then trying to downplay its impact.
A serious vulnerability called Logjam has been discovered in the Diffie-Hellman Key Exchange software, which is used to secure communications on many web and email servers. Meanwhile, despite its many flaws, it’s still a good thing that the web is moving towards HTTPS encryption everywhere.
In the world of network-attached hardware, malware called Linux/Moose is exploiting vulnerabilities in routers and spreading across the Internet. A security flaw in NetUSB is making many consumer routers vulnerable.
A serious vulnerability in many virtual hardware platforms, including Oracle’s popular VirtualBox, is making life difficult for many service providers.
Those of you who monitor traffic arriving at your home or work network are no doubt aware that your network is being constantly scanned for vulnerabilities. Brian Krebs rightly points out that much of this scanning activity is not malicious.
And finally, before you exchange that Android device, you should know that even if you’ve performed a full reset, your personal data is not being completely erased.
Insecure routers home to vast botnets
Huge networks of compromised network routers form the basis of several large botnets. These botnets – described as ‘self-sustaining’ by security researchers – are only possible because routers are shipped with common, known passwords, and because users fail to change those passwords, or leave remote administration features enabled. The compromised routers are mostly used in DDoS attacks.
Users should not depend on their ISP to secure their router. There are numerous guides for improving the security of routers, but this one at HowToGeek is particularly good.