Skip to content

Monthly Archives: September 2015

Is Windows 10 slurping too much data?

Seems like yes, despite assertions that it is not.

Quote

“We collect a limited amount of information to help us provide a secure and reliable experience. This includes data like an anonymous device ID, device type, and application crash data which Microsoft and our developer partners use to continuously improve application reliability,” Myerson wrote. “This doesn’t include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID.”

Moving right along, Myerson confirmed that Microsoft would love to collect words and phrases that you type – something we’ve known about since the first Windows 10 Technical Preview shipped – but explained that it’s not about advertising. Rather, it’s about being able to “deliver a delightful and personalized Windows experience to you.”

The Windows 10 Privacy Statement gives examples of data that Redmond might collect, including “name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data.”

So basically, use Windows 10 and your life is an open book to Microsoft and their partners. No thanks!

Linux BotNet

A network of infected Linux computers that’s flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.

Quote

The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

Security of credit cards using “chips”

As you may know, starting in October the credit card companies are changing the rules on credit card liability for transactions where the credit card is present at the location of the purchase.  The idea is to encourage merchants and financial institutions to adopt the “EMV” (Europay/MasterCard/Visa) “chip” credit cards.

The EMV cards are generally considered to be more secure, because the chip creates a unique transaction code for each transaction, whereas if someone manages to read the magnetic stripe on a traditional credit card (and acquires the 3 digit verification number), there is nothing to stop repeated use of that credit card.

However, readers should be aware that there is a downside to the EMV chip technology.  While magnetic strips can be easily read (say, after theft of a card, or by a physically compromised ATM), magnetic strips cannot be read remotely.   On the other hand, the card chips can be accessed remotely.  Thus information on these new EMV cards can be read from a few inches away, even while the card is in your wallet or purse, by anyone passing near to you.  While some cards do not reveal account numbers this way (American Express claims to be in this group), others have been shown to do so.

So, what can be done to protect your new EMV credit and debit cards?  The answer is to protect them by blocking radio frequencies (RF) from reaching the card when it is not in use.  One suggestion is to wrap them in aluminum foil.  While this is 100% effective (providing what is known as a Faraday cage around the card), it is bulky and inconvenient.  A less bulky and more convenient alternative is to place the cards in an RFID shield sleeve.  These sleeves, available from retailers (Amazon, REI and many others), are inexpensive, and do not take up appreciable space in your purse or wallet, and should also serve as a reasonably effective Faraday cage to protect your cards – not only credit cards, but any card that uses this kind of chip technology, which might include educational institution cards, company security access cards, driver licenses and others.

3D printed TSA Travel Sentry keys Open TSA Locks

Quote

Last year, the Washington Post published a story on airport luggage handling that contained unobscured images of the “backdoor” keys of the Transportation Safety Administration, along with many other security agencies around the world, used to gain access to luggage secured with Travel Sentry locks. These locks are designed to allow travelers to secure their suitcases and other baggage items against theft with a key or a combination, while still allowing the secured luggage to be opened for inspection—ostensibly by authorized persons only. The publication of the images effectively undermined the security of the Travel Sentry system, since the images were of sufficient quality to create real-world duplicate keys….

A few enterprising hackers (in the correct sense of the word “hacker”) have put together 3D printable model files of the TSA keys and uploaded them to a GitHub repository. Now, rather than needing specialized skills and tooling to craft a duplicate Travel Sentry key, all you need is a 3D printer that can handle STL files (and that’s basically any 3D printer)….

Is this disheartening news? Not particularly. Locking your luggage has never provided any real additional protection against all but the most casual theft attempts (as evidenced by the fact that almost any piece of luggage with a zipper can be opened with a screwdriver or a pen regardless of how many locks are hanging off of it). The spreading of 3D printable Travel Sentry keys is more of a criticism of any kind of “backdoor” cryptography—be it one that involves physical keys or mathematical. The backdoor itself undermines any and all trust in the system.

Anyone who thinks otherwise is fooling themselves.

Feeling safer yet?

Android 5 lock-screens bypassed by typing in a reeeeally long password.

Quote

If you’ve got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it’s best to use a PIN or pattern to secure your lock-screen – because there’s a trivial bypass for its password protection.

The vulnerability, details of which were published here by University of Texas researchers on Tuesday, allows miscreants to sidestep lock-screens on Android 5 devices, unless they’ve been fully patched to version 5.1.1 including last week’s security updates.

“By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen,” the researchers write.

Yes, by typing in too many characters, you can kill off the security mechanism and gain full access to the device, even if its filesystem is encrypted – miscreants can exploit this to run any application, or enable developer access to the device.