Web
Analytics
Security | Marten IT Blog
Security

You Might Want To Uninstall VLC. Right Now. Immediately

In an article published on Gizmodo, they have indicated that there is a security flaw that affects VLC on all but the MacOS platforms.
"The vulnerability allows for RCE (remote code execution) which potentially allows bad actors to install, modify, or run software without authorisation and could also be used to disclose files on the host system. Translation: VLC’s security hole could allow hackers to hijack your computer and see your files."

Read more at
Gizmodo

Apple, Google, Microsoft tell GCHQ to drop 'ghost' spy protocol

A proposal floated last year by Britain's Government Communications Headquarters (GCHQ) to create an invisible listening-in facility for end-to-end encrypted messaging services has been slammed by a coalition of technology companies, civil rights organisations and security experts as dangerous and a threat to basic human rights.

Story from itnews. Read the story
here

Snapchat employees abused company data access tools to spy on users

According to a report on Thursday, a number of Snap employees abused privileged data management tools to snoop on Snapchat users, in some cases potentially gaining access to location and contact information, as well as saved Snaps.
Full story on:
AppleInsider

Google has stored some passwords in plain text since 2005

Google announced today that it's the latest tech giant to have accidentally stored user passwords unprotected in plaintext. G Suite users, pay attention.
Google says that the bug affected "a small percentage of G Suite users," meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities.

Story Source:
Wired

Thousands of Linksys Routers Leaking Sensitive Data: What to Do Now

Security researcher Troy Mursch last week revealed that more than 25,000 Linksys home Wi-Fi routers around the world are secretly leaking sensitive information about themselves, and the devices on their networks, to anyone who knows what to look for. There's a full list of the roughly three dozen affected models here.
Source:
TomsGuide

Security Checklist

When it comes to security on your computer, there are a number of areas that should be considered.
Passwords
You must always use strong passwords that cannot be guessed by anyone and they should never be reused anywhere else.
This obviously makes sense for maximum security but:
  • What is a strong password?
  • How do you come up with a strong password?
  • How do you remember the strong password?
The answer to these questions is not that complicated.
A strong password is obviously one that cannot be guessed or derived through some automated process. An example of a strong password is:
Jg4uyG3B87dTg%x. This is using characters randomly put together using a total of 15 characters which include 4 numbers, 1 symbol and upper and lowercase letters.
Another example is using words which may be easier to remember. An example is:
musty-eject-thing-quackery using 4 words and hyphens.
So, how do you come up with these strong passwords? The simplest answer is to use software such as 1Password by AgileBits (
https://1password.com) or in the case of the Mac, it has a program called Keychain Access which will store passwords generated such as when you create an account in the browser or change your password, it will suggest to create a strong password for you and store it in the Keychain.

Once you have created these strong passwords, then you never have to remember them again as they will be available to you when you need them. In the case of 1Password, you only ever have to remember the password to 1Password to access all your other passwords.

In the latest versions of MacOs and iOS, the passwords created and stored by Keychain carry across your devices and if you also have 1Password, you can open that if the password is stored in it.

Two Factor Authentication
Use for your Apple ID, Google, Facebook, Microsoft and everywhere it is available. It will ensure that there is no unauthorised access to your accounts.

Microsoft uses its Authenticator app on you mobile device and Google use their Authenticator app which a number of third parties such as Square, Amazon, Airtable, Synology etc use.

Disable Automatic Login
Do not allow your computer to login without an account and a password. Require passwords for each account on the computer or in the case of a mobile device, ensure that it is protected by some form of authentication at all times, whether that is FaceID, finger print, passcode or whatever method your device uses.

Don’t Trust Emails or Text Messages
If you receive an email or a text from an unknown source that is unsolicited, do not click on any links or in fact on anything in the email or message.
Banks do not send you links for you to click nor do any sensible organisations. If you think it may be legitimate, go to the site you know and check it out, not via a link in the email or message.

Phone Call Scams
There are many scams out there which include ones where they pretend to have detected an issue with your computer. Just hang up.
More recently, you may receive phone calls from unknown locations and numbers but they hang up before you have a chance to answer. They want you to phone back as they are a premium call that will cost you a great deal of money as they will waste your time as much as possible.
Don’t phone back any of these numbers!

Online Scams
Be aware of any scams involving buying, selling and job offers.

Public WiFi
Do not trust any public WiFi hotspots. Do not do anything such as banking or where you need to use account details unless its a https site (secure) or use a VPN service.

Software Updates
Install the latest security updates and OS updates and third party software updates.

Be Informed
Read news sources and keep up with the latest threats.

Scamwatch
Scamwatch (
https://www.scamwatch.gov.au) has information on the latest scams.

Smart home devices attract hackers in their first five minutes online

In an article on gearbrain.com, they state that a new report emphasizes why people need to change default passwords and user names immediately

Within five minutes of a smart device going online, hackers will try to gain access by using well-known factory setting passwords and usernames. Even devices that have been updated, where a buyer sets up new credentials immediately, may be hacked because of security vulnerabilities built into the security camera, virtual assistant, thermostat or other product.

Read the full article at
gearbrain.com

Apple bans Facebook from tech tools for tracking teen browsing habits

Apple Inc said on Wednesday it had banned Facebook Inc from a program designed to let businesses control iPhones used by their employees, saying the social networking company had improperly used it to track the web-browsing habits of teenagers.

Apple offers what are known as certificates that let businesses have deep controls over iPhones, with the potential to remotely install apps, monitor app usage and access, and delete data owned by a business on an iPhone. Apple designed the program for organizations whose staff use iPhones for official duties, when privacy needs are different from phones for personal use.

Source:
Reuters. (Click the link to read the full story)

Houzz Security Breach

Houzz has sent out a notification to its users who may have been affected by a security breach.

“Houzz recently learned that a file containing some of our user data was obtained by an unauthorised third party. The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities.

Out of an abundance of caution, we have notified all Houzz users who may have been affected.”

If you have a Houzz account, it would be worth reading the following information on their site:
Houzz Security Update - FAQ

Facebook virus attacks and how to protect from them

MacPaw published a page with information concerning security issues on Facebook. It is worth a read.

"There have been a host of Facebook virus attacks in the little over a decade it’s been in existence. Some are fairly easy to spot and avoid, others look fairly innocuous until it’s too late. Here, we’ve listed the most common Facebook virus attacks and how to protect yourself from them."

Click on the link above to read their full story or
here.

US govt orders security measures for DNS hijack emergency

Iran blamed for "almost unprecedented scale" attacks compromising web and email traffic.
The United States Department of Homeland Security has issued an emergency directive in response to a serious, global campaign of domain name system (DNS) infrastructure tampering, believed to originate in Iran.
Earlier in January, security vendors Cisco Talos and Mandiant FireEye outlined a spate of DNS hijacks against multiple government, telcos and internet infrastructure organisations in Europe, North America and the Middle East/Africa.

Attackers have successfully redirected web and email traffic by altering DNS records, making them point to servers on addresses that they control.

They've been able to do so by capturing administrative credentials for administrative accounts that can make changes to DNS records. FireEye and Talos said they have received reports that sophisticated phishing attacks were used to gain acccess for DNS record manipulation, as well as compromising a victim's domain registrar account.

Sourced from:
itnews.com

Mozilla warns decryption laws will break open source

Mozilla is worried that Australia’s proposed decryption laws will break the principles and licensing terms of open source software.
The foundation said in a submission to the government that being forced to secretly create vulnerabilities in an open source product would be extremely difficult.

Mozilla express a number of concerns, including:
The limitation on systemic vulnerabilities is inadequate.
The key provision seeking to limit the widespread security risks of this bill is a prohibition on forcing companies to build a “systemic vulnerability” into their systems or to prevent them from rectifying a systemic vulnerability. However, the term “systemic” is not defined
in the bill, leaving dangerous ambiguity that could be exploited by the government. The accompanying Explanatory Document provides some additional clarity but not confidence in stating that systemic vulnerabilities exclude “actions that weaken methods of 
encryption or authentication on a particular device.” 

The Government goes on to say that this legislation would permit “requir[ing] a provider to enable access to a particular service, particular device or particular item of software.”
For a company to enable this capability would effectively be to create a systemic vulnerability, whether the capability is provided by “one-off” upgrades sent to specific devices or by inserting a remote access capability to all versions of their products. In 
either case, the company will be left with a fast-path method to compromising their user’s data, thus creating a high risk of compromise by malicious actors. 

You can download the PDF here:
Mozilla Submission

Apple says decryption should 'alarm every Australian'

Apple has laid out some of the ways it could be forced to spy on its customers if the decryption bill before Australian parliament passes into law.

The bill “could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well", Apple said in a parliamentary submission.

In the submission, Apple said, "The encryption technology built into today’s iPhone represents the best data security available to consumers. And cryptographic protections on the device don't just help prevent unauthorized access to your personal data — they're a critical line of defense against a criminal who seeks to implant malware or spyware, and use the device of an
unsuspecting person to gain access to a business, public utility or government agency."

They go open to say "While the bill presents many questions and opportunities for clarification, we focus our comments on several overarching themes: (1) overly broad powers that could weaken cybersecurity and encryption; (2) a lack of appropriate independent judicial oversight, (3) technical requirements based only on the government’s subjective view of reasonableness and practicability, (4) unprecedented interception requirements, (5) unnecessarily stifling secrecy mandates, and (6) extraterritoriality and global impact.".

Decryption laws enter parliament

The federal government has moved to introduce the legislation underpinning its controversial crackdown on encrypted communications services.

“The bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability," Dutton said in the bill's first reading.

The government has said this will invariably involve some weakening of security, but denies that it will lead to systemic weaknesses or vulnerabilities like backdoors in products or services.
Read More…

Government Scamwatch Site

The federal government hosts a site that tracks the latest scams that seek to part you from your money by gaining access to your computer and bank account. Read More…

Decryption laws edge closer to reality

The federal government will move to introduce legislation for its crackdown on encrypted communications services in the upcoming spring sitting of parliament, a year after it first promised to do so.
It plans to present the legislation – dubbed the Telecommunication and Other Legislation Amendment (Assistance and Access) Bill – before December 7 this year.

I have heard the arguments from ordinary users stating that they have nothing to hide so why should they care? There are a number of aspects to this.
1. Whilst the government is not a corrupt totalitarian regime, you may have little to fear from them but history has shown that this is not guaranteed and can change very quickly.
2. Your communications which expose personal information such as your banking information, your username and password for the various services you access etc. should always be secure and encrypted. If the government has a backdoor then what stops criminals from exploiting this back door? Its a valid argument because trusting the custodians of the backdoor key has been proven to be folly as it will always be exploited. Just look at the leaks from supposedly secure government organisations such as the NSA, CIA and FBI in the US.
3. On another level, if your data can be decrypted in transit by third parties, what is there to stop this information from being mined and used for marketing or to profile individuals for other purposes?
4. If you are not convinced that it is a bad idea, just think about the countless millions of accounts that have been hacked due to the custodians of your personal data being hacked. This information has been used to steal money, create false identities for other criminal activities etc.

It's interesting that governments that were formerly conservative in their thinking are now on the bandwagon of trying to impose these types of laws. Historically it was always more likely to come from the left of politics that would push such ideas.



Article published on itnews site.

Millions of Android Devices Vulnerable Out of the Box

In an article published on wired.com, they say that security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you.

Although the article refers to US carriers, it is likely that it applies to most carriers.

Read the full article at
Wired.com

How a bad microcode fix could brick billions of chips

According to an article on itnews, researchers worry about mitigating hardware flaws.
Cryptographer Adi Shamir is worried that billions of microprocessors could be irreversibly bricked in future by a microcode update gone wrong.
Source:
itnews

Android vendors fail to install security patches

Devices lie and claim to be fully patched.

Security Research Labs analysed a large number of devices running Google's Android operating system, and found that some vendors fail to apply critical and high severity security patches.

Best to always check.

Source:
ITNews Android vendors fail to install security patches

Mark Zuckerberg Talks To Wired About Facebook’s Privacy Problem

When you are the product as with Facebook and Google, if you want to maintain some privacy, you need to be careful what information you provide to their services. Most do not seem to care, do not understand or believe the trade-off for providing your personal data is out-weighed by the person benefits.
In the past, it was very difficult to work out what your privacy settings actually were and would change, often without users being aware. This has improved but it is still very difficult to work out some of the settings. For example, to delete you Facebook account can be problematic because even if you do find where to do it, should you inadvertently connect to Facebook again from some device, it negates your deletion.
Source article:
Wired- Facebook Privacy Issues

Another article on the same subject: What the F*** Was Facebook Thinking and yet another one one how to delete your Facebook at https://vpnandgo.com/delete-facebook-account/

Equifax peeks under couch, finds 2.4 million more folk hit by breach

Embattled credit-reporting company Equifax has done some data crunching and discovered another 2.4 million people that had their information slurped by hackers.
The biz, which was subject to one of the biggest data breaches in US history
last May, has already had to revise up the number of affected individuals.
The total stood at 145 million in the US and hundreds of thousands in the UK and Canada – but it's now found a few more people that previously escaped its "forensic" testings.
Source:
TheRegister

RedDrop nasty infects Androids via adult links, records sound, and fires off premium-rate texts

A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device.
The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the attackers.
Source:
TheRegister

Europe seeks power to sieze overseas data

Reuters reported that the EU is preparing legislation to force companies to turn over customers' personal data.
This is a world-wide trend for governments to seek getting access to encrypted data on the premise that it is to keep society safer.
In Australia, there is a movement to have decryption legislation which will allow access to users' data.
The argument is always that this access is to assist in fighting crime and to protect society. Individuals may say that I have nothing to hide so why not but this is potentially very dangerous if governments are able to spy on everyone at anytime. Past experience has shown that this sort of power has been abused by governments to silence or eliminate opposition groups.

Reuters article:
https://goo.gl/SeozfG
ZDNet article:
https://goo.gl/L584Ew

Australia's Notifiable Data Breaches scheme is now in effect

The Notifiable Data Breaches (NDB) scheme comes into effect today, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.

Source story:
https://goo.gl/GfkcTA

MacOS and iOS Updates

Apple has released supplemental updates for macOS to 10.13.3. and iOS 11.2.6 to fix a bug that caused devices to crash when trying to process specific Unicode characters.

The problem relates to rendering certain Indian characters which could cause the device to crash.

Apparently some mischievous people have intentionally inserted these characters to cause problems for those unfortunate to have encountered them.

Its always a good idea to keep devices up-to-date, especially relating to security issues.

By using this site you accept that we use cookies and similar technologies for analytical purposes. No information is ever sold on to other parties.
By continuing to use our site, you consent to this.