Blog

IBM Bans Flash Drives at their facilities

FROM PC WORLD

Memory sticks CC0 licensed

Security trumps convenience, and IBM is taking that to the next level with its employees. The company has decided that removable storage devices are just too risky to use, so they’ve been banned.

As The Register reports, IBM’s global chief information security officer, Shamla Naidoo, recently informed all employees that data transfers to removable portable storage devices is now prohibited. That includes USB sticks, SD cards, and any form of portable hard drive.

 Instead of portable storage, IBM wants everyone using the cloud and more specifically, IBM’s own File Sync and Share service, which it also offers to enterprise customers. That may work for IBM employees on campus, but what about those out in the field carrying out repairs and upgrades? Rather than having a patch on a USB stick, secure cloud access will need to be established instead.

READ FULL ARTICLE HERE

Reset your Twitter Password!

I received this about one of my accounts at Twitter.   FYI – I would login and reset your password!

Twitter
Hi @CraigKassing,
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.
About The Bug
We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.
Tips on Account Security
Again, although we have no reason to believe password information ever left Twitter’s systems or was misused by anyone, there are a few steps you can take to help us keep your account safe:
1. Change your password on Twitter and on any other service where you may have used the same password.
2. Use a strong password that you don’t reuse on other services.
3. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
4. Use a password manager to make sure you’re using strong, unique passwords everywhere.
We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.
Team Twitter

Scam hijacks Google Chrome browser, tries to get your personal data

Scam hijacks Google Chrome browser, tries to get your personal data

“I get this call very often where the website screen has the warning that you need to call now!   How to fix?  cut the power .. just unplug the PC and restart.  Normally it is a malicious website trying to scam you.    Microsoft – Antivirus Companies ETC will NEVER tell you to call them.  EVER ,,, It is a scam.

Great Article on the new Chrome Issue below from Foxnews


Scams that hijack the world’s most popular browser, Google Chrome, are making the rounds again.

It starts with a fake error message. For computer users, this is a vexing problem because the underlying malicious code locks up the browser. “The bug that it triggers is more than just an annoyance in the sense that it will render your Chrome browser unresponsive,” Jerome Segura, Lead Intelligence Analyst at Malwarebytes, told Fox News.

“In our tests, it also caused the operating system (Windows) to become unstable if we let it run for a certain amount of time,” Segura said, adding that Google is looking into the issue.

The issue was covered in a blog post this week by Malwarebytes, which was cited in a report by Ars Technica.

Google has not yet responded to a Fox News request for comment.

After the malicious code locks the browser, the fake warning tries to trick a user into calling a number. Then, a person posing as a company representative – from, for example, a well-known American technology company – asks for sensitive personal or financial information to fix the bogus issue.

“That’s where it does become a serious issue for the individual,” Inga Goddijn, executive vice president at Risk Based Security, told Fox News. “These messages are purposely designed to cause fear and provoke users into turning over sensitive information or in some cases even control of their computer. From there, the scammers really are in the driver’s seat.”

There are other variants of the scam too. For example, one – which also locks up your browser – offers fake deals such as a gift card.

And other browsers can be affected too. But since Chrome is the most widely-used web browser, outpacing Microsoft Edge, Safari and Firefox, it has been the place where many users come across the problem.

READ MORE HERE

Spectre and Meltdown explained: What they are, how they work, what’s at risk

There has been a lot of news on this and I found a article that does a great job of explaining the issue.   Antivirus companies and Microsoft are working on this with a combined fix from both.  Your Antivirus will update itself once the release it put forward.

Spectre and Meltdown explained: What they are, how they work, what’s at risk

Spectre and Meltdown are the names given to a trio of variations on a vulnerability that affects nearly every computer chip manufactured in the last 20 years. The flaws are so fundamental and widespread that security researchers are calling them catastrophic.

By 

In the first days of 2018, published research revealed that nearly every computer chip manufactured in the last 20 years contains fundamental security flaws, with specific variations on those flaws being dubbed Spectre and Meltdown. The flaws arise from features built into chips that help them run faster, and while software patches are available, they may have impacts on system performance. There is as of yet no evidence that these flaws have been exploited in the wild, but such exploits would be difficult to detect, and the flaws are so fundamental and widespread that security researchers are calling them catastrophic.

What are Spectre and Meltdown?

Spectre and Meltdown are the names given to different variants of the same fundamental underlying vulnerability that affects nearly every computer chip manufactured in the last 20 years and could, if exploited, allow attackers to get access to data previously considered completely protected. Security researchers discovered the flaws late in 2017 and publicized them in early 2018. Technically, there are three variations on the vulnerability, each given its own CVE number; two of those variants are grouped together as Spectre and the third is dubbed Meltdown.

All of the variants of this underlying vulnerability involve a malicious program gaining access to data that it shouldn’t have the right to see, and do so by exploiting two important techniques used to speed up computer chips, called speculative execution and caching.What is speculative execution?

Speculative execution essentially involves a chip attempting to predict the future in order to work faster. If the chip knows that a program involves multiple logical branches, it will start working out the math for all of those branches before the program even has to decide between them. For instance, if the program says, “If A is true, compute function X; if A is false, compute function Y”, the chip can start computing both functions X and Y in parallel, before it even knows whether A is true or false. Once it knows whether A is true or false, it already has a head start on what comes after, which speeds up processing overall. Or, in another variation, if a chip learns that a program makes use of the same function frequently, it might use idle time to compute that function even when it hasn’t been asked to, just so it has what it thinks the answer will be on hand.

What is caching?

Caching is a technique used to speed up memory access. It takes a relatively long time for the CPU to fetch data from RAM, which lives on a separate chip, so there’s a special small amount of memory storage called CPU cache on that lives on the CPU chip itself and that can be accessed very quickly. This memory gets filled with data that the chip will need soon, or often. What’s relevant for our situation is that data that’s output by speculative execution is often stored in cache, which is part of what makes speculative execution a speed booster.

The problem arises when caching and speculative execution start grappling with protected memory.

What is protected memory?

Protected memory is one of the foundational concepts underlying computer security. In essence, no process on a computer should be able to access data unless it has permission to do so. This allows a program to keep some of its data private from some of its users, and allows the operating system to prevent one program from seeing data belonging to another. In order to access data, a process needs to undergo a privilege check, which determines whether or not it’s allowed to see that data.

But a privilege check can take a (relatively) long time. So — and this is the key to the vulnerability we’re discussing — while the CPU is waiting to find out if the process is allowed to access that data, thanks to speculative execution, it starts working with that data even before it receives permission to do so. In theory this is still secure, because the results of that speculative execution are alsoprotected at the hardware level. The process isn’t allowed to see them until it passes the privilege check, and if it doesn’t pass the check, the data is discarded.

The problem arises because the protected data is stored in CPU cache even if the process never receives permission to access it. And because CPU cache memory can be accessed more quickly than regular memory, the process can attempt to access certain memory locations to find out if the data there has been cached — it still won’t be able to access the data, but if the data has been cached, its attempt to read it will be rejected much more quickly than it otherwise would. Think of it as knocking on a box to see if it’s hollow. Because of the way computer memory works, just knowing the addresses where data is stored can help you deduce what the data is. This is what’s known as a side-channel attack.

What’s the difference between Spectre and Meltdown?

If you want a much more technical description of how Spectre and Meltdown work, you should check out the post on Google’s Project Zero site that was most of the world’s introduction to it. To keep it short and simple, both Spectre and Meltdown could allow potential attackers to get access to data they shouldn’t have access to using the techniques outlined above, but their effects are somewhat different:

  • Meltdown got its name because it “melts” security boundaries normally enforced by hardware. By exploiting Meltdown, an attacker can use a program running on a machine to gain access to data from all over that machine that the program shouldn’t normally be able to see, including data belonging to other programs and data that only administrators should have access to. Meltdown doesn’t require too much knowledge of how the program the attacker hijacks works, but it only works with specific kinds of Intel chips. This is a pretty severe problem but fixes are being rolled out.
  • By exploiting the Spectre variants, an attacker can make a program reveal some of its own data that should have been kept secret. It requires more intimate knowledge of the victim program’s inner workings, and doesn’t allow access to other programs’ data, but will also work on just about any computer chip out there. Spectre’s name comes from speculative executionbut also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That’s the other reason for the name: Spectre will be haunting us for some time.

Why are Spectre and Meltdown dangerous?

Spectre and Meltdown both open up possibilities for dangerous attacks. For instance, JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Attackers could exploit Meltdown to view data owned by other users and even other virtual servers hosted on the same hardware, which is potentially disastrous for cloud computing hosts.

But beyond the potential specific attacks themselves lies the fact that the flaws are fundamental to the hardware platforms running beneath the software we use every day. Even code that is formally secure as written turns out to be vulnerable, because the assumptions underlying the security processes built into the code — indeed, built into all of computer programming — have turned out to be false.

Spectre and Meltdown patches

The fundamental vulnerability exists at the hardware level and cannot be patched. However, most vendors are releasing software patches that work around the problems. The KAISER patch, developed coincidentally in 2017 to improve Linux security, actually has the side effect of preventing Meltdown attacks. Major cloud vendors have by and large patched their servers. Patches have already been rolled out by Intel, Microsoft, Apple, and Google (see more below) and more are on the way. CSO’s J.M. Porup has a good roundup of steps you should take in the short term. Rendition Infosec also has a great resource on establishing a strategy for your organization that will, among other things, harden your systems and practices to prevent further damage if you do fall victim to an attack exploiting Spectre or Meltdown.

Since JavaScript in the browser is one particularly dangerous vector for Spectre attacks, it’s also important keep your browsers up to date.

Notably, older systems, particularly Windows XP, will almost certainly never be patched. Also left in the lurch are the millions of third-party, low-cost Android phones that don’t get security updates from Google, many of which are not particularly old.

When will my PC, Mac, iPhone, Android phone, or browser get a patch for Meltdown and Spectre?

Do Spectre and Meltdown patches hurt performance?

These patches generally mitigate the vulnerabilities by altering or disabling how software code makes use of the speculative execution and caching features built into the underlying hardware. The downside of this, of course, is that these features were designed to improve system performance, and so working around them can slow your systems down. While there were initial reports of performance hits up to 30 percent, benchmarks from Phoronix indicate that 5 to 10 percent seems more typical.

See complete article HERE

REMINDER – US government tells Windows users to uninstall QuickTime as Apple stops support

By 

REMINDER – US government tells Windows users to uninstall QuickTime as Apple stops support

(From Craig – I am still seeing this on PC’s and Laptops)

The Department of Homeland Security has advised that PC owners uninstall Apple’s QuickTime for Windows, after two vulnerabilities were discovered in its code. Because Apple is no longer updating the Windows version of the software, the DHS says “the only mitigation” is to remove the software entirely, or else risk “loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets.”

The government’s advice echoes that offered by security firm Trend Micro, whose Zero Day Initiative first noted the two QuickTime for Windows vulnerabilities. The company says it’s not aware of any successful attacks that have used the security holes so far, but says that because Apple will not be issuing any patches to close them, they’ll remain inviting to malicious attacks from here on out.

THE MAC VERSION IS STILL GETTING UPDATES

The US government regularly puts out security alerts about specific software via its Computer Emergency Readiness Team (CERT), but the warnings are often more open-ended, advising people to use anti-virus software or keep on top of updates. In QuickTime’s case, Apple has been winding up its support for Windows for a long time — the video player wasn’t supported by either Windows 8 or 10, although some users hit upon a workaround. The company declined to comment to Reuters on the Windows vulnerability, although the DHS notes that the flaws aren’t found in the Mac version of the software, which continues to be updated as normal.

Keylogger Discovered on HP Laptops

From PC Magazine – ByMatthew Humphries  December 11, 2017 9:28AM EST

HP isn’t doing too well on the security front recently. Last month the company was accused of quietly installing spyware on Windows PCs. This month, a keylogger has been found on over 460 different models of HP laptop.

The keylogger was discovered by security researcher Michael Myng who was looking at the keyboard driver SynTP.sys in an attempt to figure out how to control HP’s laptop keyboard backlight. What he found was a keylogger capable of recording every key stroke made by a user. Thankfully, the keylogger is disabled by default, but a simple registry value change would enable it meaning it counts as a “potential security vulnerability” a hacker could take full advantage of.

As the BBC reports, HP has issued a software patch to remove the keylogger which is present in the Synaptics touchpad driver. HP points out that enabling the keylogger would require administrative access therefore limiting the threat. However, there are over 460 models of HP laptop affected, including those in the EliteBook, ProBook, Pavilion, and Envy ranges, and the keylogger has been present since 2012. The software patch support page lists all models carrying the disabled keylogger.

If you’re wondering why HP allowed a keylogger to ship on so many laptops for so long, it looks to be a simple oversight. It was originally installed with the driver to act as a debugging tool checking for errors in the Synaptics software. It was then disabled, but never removed. That’s quite dangerous in 2017 when hackers will grab any opportunity they can find in hardware used by millions of people.

For more click HERE

Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability

Via The Hacker News:

**( Please make sure you are running windows update)**

microsoft-windows-update

If your computer is running Microsoft’s Windows operating system, then you need to apply this emergency patch immediately.

Microsoft has just released an emergency security patch to address a critical remote code execution (RCE) vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim’s PC.

Enabled by default, Microsoft Malware Protection Engine offers the core cybersecurity capabilities, like scanning, detection, and cleaning, for the company’s antivirus and antimalware programs in all of its products.

According to Microsoft, the vulnerability affects a large number of Microsoft security products, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.

Tracked as CVE-2017-11937, the vulnerability is a memory corruption issue which is triggered when the Malware Protection Engine scans a specially crafted file to check for any potential threat.

Read More Here

We Signed Up for Equifax’s TrustedID Premier and Here’s What Happened

We Signed Up for Equifax’s TrustedID Premier and Here’s What Happened

by Jocelyn Baird 

Equifax TrustedID PremierUpdated: Sept. 28, 2017 

Although we have advised caution when it comes to enrolling in the free TrustedID Premier credit monitoring and identity theft protection offered by Equifax to all U.S. consumers in light of its massive data breach, we also know that many people will opt to enroll (or have already done so). To help anyone still making a decision or those who have started the enrollment process but not quite finished yet, we decided to have one of our editors go through the full process to show you exactly what happens and what the promised features look like from the inside. Although we still encourage people to prioritize taking their own protective measures, such as viewing all three of their credit reports for free through AnnualCreditReport.com, and consider a more robust service like LifeLock, this is the insider’s look on what happens when you sign up for Equifax’s TrustedID Premier.

What is TrustedID Premier?

This is a service provided and operated by Equifax exclusively for all U.S. citizens, whether they have been impacted by the data breach or not. It promises to provide:

TrustedID Premier features
  • 3-bureau credit report monitoring
  • Copies of your Equifax credit report
  • Ability to lock and unlock your Equifax credit file
  • Social security number monitoring
  • $1 million identity theft insurance

Membership is complimentary for one year, and you don’t have to provide any sort of credit card or payment information to enroll. According to FAQs on the Equifax data breach site, when the year is up, TrustedID Premier will expire rather than turn into a paid product. Keep reading to find out details on the enrollment process and find out what it looks like from the inside.

Getting started with TrustedID Premier

Those who checked their potential impact status on the Equifax data breach website in the early days after it was disclosed probably received a specific enrollment date. Regardless of that date or whether you checked your potential impact weeks ago or just today, everyone has until January 31, 2018 to enroll in TrustedID Premier. When you are ready to do so, you will want to navigate to the Enroll tab on the Equifax website and click “begin enrollment.” You’ll be asked to confirm your last name and the last six digits of your social security number, then you will be taken to a secondary page that asks for some personal information — including your name, date of birth, social security number (note that the website does not censor this, so you’ll want to be sure you are filling this page out while using a trusted Internet connection), gender, home address, email address and preferred phone number. After reading the terms of use and privacy notice and clicking on the orange “continue” button, you’ll be taken to a page that displays a blue check mark image. It should tell you that your information has been received and is being processed, and you must wait for an email to fully activate your account.

TrustedID Premier Enrollment Confirmation

TrustedID Premier enrollment confirmation page

The timeline for receiving this email may vary; it took a little over 48 hours for ours to arrive. If you don’t receive your email after three days, you might want to contact Equifax to make sure your application was received and you didn’t mistype anything. Note that there has been some concern regarding the domain the email comes from vs. the domain of the activation link it contains. Security expert Brian Krebs write about this discrepancy recently and how it goes against best practices when it comes to identifying phishing emails. Here is what the email we received looked like:

TrustedID Premier Enrollment Activation Email

The email we received to activate our TrustedID Premier enrollment.

Upon receiving the email, you will be instructed to click on a hyperlink which activates your TrustedID Premier account. This link takes you to a verification page that asks for the last four digits of your social security number and your birth date, followed by a prompt to create a password. Make sure that you choose a strong, secure password. Finally, you’ll be directed to a page with a few security questions that serve to verify your identity. You have five minutes to answer these questions before your activation is reset and you must try again.

CLICK HERE TO READ COMPLETE ARTICLE

Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards

Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards ..

From Krebs On Security —

Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment systems. The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores, KrebsOnSecurity has learned.

sonicdrivein

The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.

I directed several of these banking industry sources to have a look at a brand new batch of some five million credit and debit card accounts that were first put up for sale on Sept. 18 in a credit card theft bazaar previously featured here called Joker’s Stash:

This batch of some five million cards put up for sale Sept. 26, 2017 on the popular carding site Joker's Stash has been tied to a breach at Sonic Drive-In

This batch of some five million cards put up for sale today (Sept. 26, 2017) on the popular carding site Joker’s Stash has been tied to a breach at Sonic Drive-In. The first batch of these cards appear to have been uploaded for sale on Sept. 15.

Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker’s discovered they all had been recently used at Sonic locations.

Armed with this information, I phoned Sonic, which responded within an hour that it was indeed investigating “a potential incident” at some Sonic locations.

“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC,” reads a statement the company issued to KrebsOnSecurity. “The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Christi Woodworth, vice president of public relations at Sonic, said the investigation is still in its early stages, and the company does not yet know how many or which of its stores may be impacted.

The accounts apparently stolen from Sonic are part of a batch of cards that Joker’s Stash is calling “Firetigerrr,” and they are indexed by city, state and ZIP code. This geographic specificity allows potential buyers to purchase only cards that were stolen from Sonic customers who live near them, thus avoiding a common anti-fraud defense in which a financial institution might block out-of-state transactions from a known compromised card.

Malicious hackers typically steal credit card data from organizations that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers.

Prices for the cards advertised in the Firetigerr batch are somewhat higher than for cards stolen in other breaches, likely because this batch is extremely fresh and unlikely to have been canceled by card-issuing banks yet.

Read the Complete Article HERE

Google Home Mini and Pixel Set to Debut Next Month

Google Home Mini Set to Debut Next Month

Fortune Website
8:17 AM ET
 (Note from Craig – Google Home and Amazon Echo are really good products that have so much potential for your home – Testing Google Home now .. More to come)

Google apparently has more up its sleeve for its October 4 event than just a Pixel 2 smartphone. The company is reportedly set to announce a new “mini-me” version of its Google Home connected speaker at the same time.

Google Home Mini looks like a squished version of the existing Google Home, according to tech news site Droid Life, which got its hands on some details, including the $49 price tag. The full-sized Google Home lists for $129.

 The new product will also tap Google Assistant speech recognition and Google’s (googl, +0.76%) prodigious search capabilities.

Get Data Sheet, Fortune’s technology newsletter.

Google Home Mini, which is reportedly the actual name, will come in several colors, including “chalk,” charcoal, and coral.

This product, and its big brother, compete with Amazon Echo in the home-based virtual personal assistant market. Amazon Echo started shipping in quantity in July 2015, and it announced a smaller Echo Dot version the following March.

Google could not be reached for comment.

According to new research from Consumer Intelligence Research Partners, Amazon accounts for 75% of the home assistant market with 15 million sold; Google stands at 24% with 5 million sold. New competitors in this field are expected from Samsung, Apple (aapl, -0.33%), and Microsoft (msft, +0.37%).