Skip to content

IT News

Windows 10: Just Say No

Comment: I have been in I.T. my entire career. I witness the birth of the internet, and with the help of Microsoft, Google and their ilk, I am witnessing its death. What was suppose to be an open platform for information sharing and communication has descended into an advertising & spyware platform for all sorts of miscreants – legal and otherwise. Welcome to the cesspool.

Microsoft is disgustingly sneaky: Windows 10 isn’t an operating system, it’s an advertising platform

Don’t believe what Microsoft tells you — Windows 10 is not an operating system. Oh, sure, it has many features that make it look like an operating system, but in reality it is nothing more than a vehicle for advertisements. Since the launch of Windows 10, there have been numerous complaints about ads in various forms. They appear in the Start menu, in the taskbar, in the Action Center, in Explorer, in the Ink Workspace, on the Lock Screen, in the Share tool, in the Windows Store and even in File Explorer.

Microsoft has lost its grip on what is acceptable, and even goes as far as pretending that these ads serve users more than the company — “these are suggestions”, “this is a promoted app”, “we thought you’d like to know that Edge uses less battery than Chrome”, “playable ads let you try out apps without installing”. But if we’re honest, the company is doing nothing more than abusing its position, using Windows 10 to promote its own tools and services, or those with which it has marketing arrangements. Does Microsoft think we’re stupid?

….
(Yes they do)

It might feel as though we’re going over old ground here, and we are. Microsoft just keeps letting us (and you) down, time and time and time again.

It’s time for things to change, but will Microsoft listen?
Article source: HERE

(Of course not, they are a monopolist)

Cloud Pets! Your Family & Intimate Messages exposed to all sorts of Miscreants

… Now I know the average parent spends a good deal their time on Facebook and other “look at me .. look at me” social media and can care less about such hard to understand things like I.T. Security.

BUT THESE ARE YOUR CHILDREN AND YOU NEED TO PROTECT THEM!

…sorry, as a parent, this stuff makes my blood boil. Look parents, you scour the pedophile databases for your neighborhood, but leave the barn door open on the Internet. If you think governmental entities are going to protect you, you are only fooling yourselves. Companies peddling these things are about making the maximum amount of money at the lowest possible cost. They will **NOT** invest in expensive and complex security. Why? they do not have to. By the time the breach is discovered, they have made there millions. And there is absolutely no teeth in any governmental mandates op provide security such that any really exist in the first place.

Ok, on with the story!

The personal information of more than half a million people who bought internet-connected fluffy animals has been compromised.

The details, which include email addresses and passwords, were leaked along with access to profile pictures and more than 2m voice recordings of children and adults who had used the CloudPets stuffed toys.

The US company’s toys can connect over Bluetooth to an app to allow a parent to upload or download audio messages for their child.

Of course the company denied it and shot at the messenger

CloudPets’s chief executive, Mark Myers, denied that voice recordings were stolen in a statement to NetworkWorld magazine. “Were voice recordings stolen? Absolutely not.” He added: “The headlines that say 2m messages were leaked on the internet are completely false.” Myers also told NetworkWorld that when Motherboard raised the issue with CloudPets, “we looked at it and thought it was a very minimal issue”. Myers added that a hacker would only be able to access the sound recordings if they managed to guess the password. When the Guardian tried to contact Myers on Tuesday, emails to CloudPets’s official contact address were returned as undeliverable.

Troy Hunt, owner of data breach monitoring service Have I Been Pwned, drew attention to the breach, which he first became aware of in mid-February. At that point, more than half a million records were being traded online. Hunt’s own source had first attempted to contact CloudPets in late December, but also received no response. While the database had been connected to the internet, it had more than 800,000 user records in it, suggesting that the data dump Hunt received is just a fraction of the full information potentially stolen.

The personal information was contained in a database connected directly to the internet, with no usernames or passwords preventing any visitor from accessing all the data. A week after Hunt’s contact first attempted to alert CloudPets, the original databases were deleted, and a ransom demand was left, and a week after that, no remaining databases were publicly accessible. CloudPets has not notified users of the hack.

Hunt argues the security flaws should undercut the entire premise of connected toys. “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

“If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”

John Madelin, CEO at IT security experts RelianceACSN, echoes Hunt’s warnings. “Connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2m voice recordings were stored online, but not securely, along with email addresses and passwords of 800,000 users, this is unforgivable.”  Source: Guardian Article Here

Now for the technical, here are some tid-bits from the researcher. Full article here

Clearly, CloudPets weren’t just ignoring my contact, they simply weren’t even reading their emails”

There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

But then I dug a little deeper and took a look at the mobile app:

CloudPets app

This app communicates with a website at spiraltoys.s.mready.net which is on a domain owned by Romanian company named mReady. That URL is bound to a server with IP address 45.79.147.159, the exact same address the exposed databases were on. That’s a production website there too because it’s the one the mobile app is hitting so in other words, the test and staging databases along with the production website were all sitting on the one box. The most feasible explanation I can come up with for this is that one of those databases is being used for production purposes and the other non-production (a testing environment, for example).

Not so Smart using a Smart TV

As reported Vizio’s Smart TVs spied on you

Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio even retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without clearly telling consumers or getting their consent.

What did Vizio know about what was going on in the privacy of consumers’ homes? On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.

Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others. And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership. And Vizio permitted these companies to track and target its consumers across devices.

That’s what Vizio was up to behind the screen, but what was the company telling consumers? Not much, according to the complaint.

Source here

Well for their offense Vizio was slapped with 2.2million fine. Sounds like a lot, right? Well as a colleague of mine observed, that is 20cents per TV. In other words, it was a great ROI for Vizio and points out how toothless the FTC really is.

So what to do? Turn off all the Smart TV features, boycott Vizio (that said, Samsung and others are just as bad it may appear). Better Yet, unplug the TV from the Internet.

Some sites suggest that Roku and Apple streaming boxes front-ending your TV are better. I am not so sure as I know with the Roku, at least, one needs to reset your ID often to clear the tracking and there does not appear to be a permanent “Kill” switch for this type of spyware crap.

I am toying of building my own set top streaming device using the RasberryPI. If I do so, I will pay pay special attention to the privacy aspects of the embedded software I use and report findings here. Don’t hold your breath, time is at a premium of here.

Anyway – welcome to the iDIoT. The Insecure Dumbed-down Internet of Things

Nick

Trump: Blame the Computers not Russia

Trump: “I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need,” Trump said according to press pool report. He was at the Mar-a-Lago resort at the time of making the statement.” Source

Actually, I agree with Trump on this. We do not have the security we need. More fundamental to that, we do not have a mindset that puts computer security first. We bolt the front door and secure our physical premises with 24/7 monitoring services, yet we leave the barn door wide open for our online presence be it email, social media, browsing and shopping.

Privacy and security is an option when in fact it should come first. Imagine if the internet was built from the ground up with privacy and security as the foundation layer? That would mean no web bugs, tracking cookies, targeted advertising, privacy statements like Netflix’s (for example) that say, let me rape you and sell my experience and if you do not agree, your option is to cancel your subscription.

And home router manufacturers that make appliances so easily hacked it is a joke. And Microsoft windows that to this day facilitates users running with administrator privileges in everyday use. And the IoT – internet of things that have little if any security. And the mindset of the average consumer the allows Amazon’s Alexa into their home. Completely secure, right? Yeah sure, Why then, I ask, did this happen: “Amazon had been served with a search warrant in a murder case, as detectives in Bentonville, Ark., want to know what Alexa heard in the early morning hours of Nov. 22, 2015 — when Victor Collins was found dead in a hot tub behind a home after an Arkansas Razorbacks football game. (Read more) Come on! Lock the door, arm yourself to the teeth, **but** let a device with 7 microphones listening to every sound in your house connected to ?? and easily hacked by ?? (you’ll never know!). By the way, the same goes with Siri and Google voice on your smart phones.

Don’t blame the Russians, blame yourself. Yes, the mindset needs to change indeed.

Happy New Year.

Russian hackers throw Trump victory party with new spear phishing campaign

Quote

Tied to DNC breach

Less than six hours after Donald Trump won the US presidential election, a new spear phishing campaign was launched by a Russia-based group. The group is apparently one of the two organizations connected to the breach at the Democratic National Committee, and it’s responsible for nearly a decade of intelligence collection campaigns against military and diplomatic targets.

Security firm Volexity refers to the group as “the Dukes” based on the malware family being utilized. According to a report by Volexity founder Steven Adair, the group is known for a malware family known as “the Dukes”—also referred to as APT29 or “Cozy Bear.” The Dukes’ primary targets in this latest round of attacks appear to be non-governmental organizations (NGOs) and policy think tanks in the US.

Trump’s taxing problem: The end of ‘affordable’ iPhones

Quote

In Trump’s view, Apple is emblematic of US manufacturers responsible for killing domestic jobs by buying components made and assembled overseas. The iPad employs chips designed in Britain by ARM, memory from South Korea’s Samsung and Japan’s Toshiba and Elpida Memory, with assembly by Foxconn in Taiwan.

But step back and Trump’s economic nationalism extends beyond the obvious target of Apple – it takes in a broad swath of tech firms large and small from “ordinary” US states and places.

Over in Trump-friendly Texas, Dell employs Samsung’s NAND in its storage devices with Massachusetts-based EMC also employing Sammy’s memory.

Up in the Hillary-Clinton-supporting northwest, Microsoft uses the Foxconn-like Pegatron in Taiwan to build its Surfaces, which also happen to employ Samsung’s SSD.

Technology firms across the US, not just Silicon Valley, are plugged into the global sourcing and integration of components.

The rise of IoT takes this into newer, smaller devices – no longer just the big stuff of enterprise or the shiny stuff in the hands of consumers.

US firms that are part of this global supply chain will pay more in tax.

Trump has proposed to tax goods from US companies made abroad and imported with a 35 per cent levy on goods coming from Mexico. He has also talked of a 15 per cent tax on “outsourcing jobs” and an apparent further 20 per cent tax for all imported goods.

..

It’s therefore reasonable to expect the price of tech to increase domestically in the long term and for the cost to feed in internationally.

There is a “but”, however. Donald Trump himself. Given his propensity for verbal pugilism during the presidential campaign, it’s difficult to know what words were intended simply to score points and grab the sound bite and which was actual policy in the making

Comment
If companies invested a fraction of the amount of the cost to move overseas in training, then the landscape would be far different today. The likes of Apple just accelerate the race to the bottom and hollow out the middle class adding the income disparities that we see today.

Like with a Cloth or something?

Quote

August 2015 Hillary Clinton was asked, “Did you wipe your email server?” and she evasively replied, “Like with a cloth or something?” A year later we found out that “cloth” was BleachBit, a software application that deletes information “so even God can’t read it,” as Congressman Trey Gowdy announced August 2016.

  • After you have smashed your BlackBerry, don’t forget to wipe the fingerprints from your email server with this non-abrasive, soft microfiber Cloth or Something.
  • Thin, foldable size makes it easy to stash the Cloth or Something in burn bags.
  • 6″ x 6″ size quickly wipes even the biggest email servers with thousands of emails.
  • Buy an extra cloth for your VIP (VERY VIP) client.
  • Optionally autographed on the back by Andrew, creator of BleachBit.
  • Printed in the USA!
  • Guaranteed not to prove intent, or you will get a full refund paid when you are released from prison.
  • First-class shipping and handling is a flat rate of $2 per order.
  • Yes, this cloth is real, and you can really buy it.

Don’t wait for a subpoena: Order Now!

Security analyst says Yahoo!, Dropbox, LinkedIn, Tumblr all popped by same gang

Quote

Says five-strong ‘Group E’ may have lifted a billion Yahoo! records, sells to states

Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world’s biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials.

The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world’s largest hacks on “Group E”, a small Eastern European hacking outfit that makes cash breaching companies and selling to buyers including nation states.

Komarov told The Register the group is behind a laundry list of hacks against massive household tech companies including the breach of Yahoo!, Dropbox, LinkedIn, Tumblr, and VK.com among other public breaches.

The analyst says the same hacking group has breached other major tech firms but would not be drawn on revealing the names of the affected companies nor the number of compromised credentials. Komarov has reported those breaches which are not on the public record to police.

He goes further and says much of the reporting concerning the Yahoo! breach was inaccurate, and suggests the number of affected credentials could be as high as one billion, double what was reported.

Group E had, according to Komarov, breached Yahoo! and sold the massive data haul through a recognised hacker identity who served as a broker.

It was then sold to a unnamed nation-state actor group.
….
Komarov, an established threat intelligence man formerly of Intelcrawler before its acquisition by Arizona-based security firm InfoArmor, is one of a handful of cybercrime intelligence analysts who closely monitor closed crime forums and dark web sites.

He fingers a Russian-speaking criminal hacking identity known as Tessa88 as the broker used by the two hacking groups.

Quote

AT&T is getting rid of Internet Preferences, the controversial program that analyzes home Internet customers’ Web browsing habits in order to serve up targeted ads.

“To simplify our offering for our customers, we plan to end the optional Internet Preferences advertising program related to our fastest Internet speed tiers,” an AT&T spokesperson confirmed to Ars today. “As a result, all customers on these tiers will receive the best rate we have available for their speed tier in their area. We’ll begin communicating this update to customers early next week.”

Data collection and targeted ads will be shut off, AT&T also confirmed.

Good news at last on privacy

Chrome trumps all comers in reported vulnerabilities

Quote

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that’s according to research that also found 2014 clocked record numbers of zero-day flaws.

The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company’s Personal Software Inspector tool residing on “millions” of customer end points, each with an average of 76 installed applications.

It said the Chocolate Factory’s web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products. ….Chrome leads the browser pack with 504 reported vulnerabilities followed by Internet Explorer with 289 and Firefox with 171. Some 1035 flaws were reported across all browsers including Opera and Safari, up from 728 in 2013.

Wait, but isn’t Google itself a threat?