Tag Archives: General Interest

Posted on Author Atlantic Computer Services Categories Blog

Thunderbolt Vulnerability Could Allow Hackers Access

A new vulnerability was revealed to the world at the 2019 NDSS security conference. It’s a grim one with the potential to impact FreeBSD, Linux, Windows and Mac systems worldwide.

Dubbed ‘Thunderclap,’ the flaw can be exploited to impact the way that Thunderbolt-based peripherals connect and interact with a target system.

If you’re not familiar with Thunderbolt, it’s a hardware interface jointly designed by Intel and Apple that allows users to connect peripherals like chargers, keyboards, video projectors (and the like) to computers.  The interface was originally available only in the Apple ecosystem, but subsequent generations of Thunderbolt expanded its reach.  These days, Thunderbolt has hooks in every major OS in use today.

At a high level, Thunderclap is nothing more than a union of various security flaws found in the interface.  The main flaw stems from the fact that OS’s tend to implicitly trust any newly connected device, granting it access to all system memory.  A hacker attacking a system using this exploit can even bypass a system’s IOMMU (Input-Output Memory Management Unit), which is specifically designed to counter such threats.

Research conducted jointly at the University of Cambridge, SRI International, and Rice University discovered Thunderclap in late 2016. They have been quietly sounding the alarm since.  Unfortunately, the companies that design and sell operating systems have been slow to act, in a classic case of passing the buck.  The most common reason for failing to act is that the OS vendors say the responsibility lies on the peripheral side and vice versa.

The issue is finally getting the attention it deserves, but to date, none of the OS development companies have published a timeframe for when they’ll be issuing a patch to cover the security flaw.  Until that happens, the best thing you can do is to disable Thunderbolt ports via your system’s BIOS.

0
Posted on Author Atlantic Computer Services Categories Blog

Microsoft Account Email Phishing Attempt Looks Legitimate

Researchers have discovered a pair of nasty phishing campaigns that are making use of Microsoft’s Azure Blob Storage in a bid to steal the recipient’s Microsoft and Outlook account credentials.

Both campaigns are noteworthy in that they utilize well-constructed landing pages that have SSL certificates and a windows.net domain, which combine to make them look totally legitimate.

Given that most users don’t pay close attention to the exact address they’re navigating when they click on a link embedded in an email, these things are more than enough to fool many users. The first campaign relies on some basic social engineering to prompt the user to do something.

The subject lines vary a bit, but fundamentally they are called to action like:

“Action Required: (user’s email address) information is outdated – Re-validate now!”

The body of the email reinforces this point and helpfully contains a link to help you on your way to re-validating your account.  Clicking on the link doesn’t raise suspicion because the landing page is a carbon copy of the Outlook Web App that’s complete with a box that allows you to “validate” your password. Of course, what you’re actually doing is giving your email password to the hackers, who then have unfettered access to your inbox and contact list.

The second campaign is the weaker of the two, although it’s set up much the same way.  The subject line indicates that you need to take action to re-validate your Facebook Workplace service account, but when you click the link, you’re actually taken to a clone of Microsoft’s landing page. This was no doubt a mix-up on the part of the hackers and will be addressed in short order.

In any case, it pays to make sure your employees are aware of both of these, so they don’t inadvertently wind up handing over the keys to their digital kingdom.

0
Posted on Author Atlantic Computer Services Categories Blog

Iconic Software Adobe Shockwave Unavailable After April

It’s the end of an era.  Way back in 1995, a company called Macromedia released the iconic Shockwave player, which quickly became a mainstay on Windows-based machines.

A decade later, Adobe purchased Macromedia, taking ownership of the Shockwave player and the company’s other  products (like Flash), both of which continued under the Adobe brand.

Time has not been kind to the technology.  Not only has the company struggled to keep them secure, but the web itself has moved on.  While Flash and Shockwave were once instrumental to cutting edge web development, today’s developers have migrated to WebGL and HTML5, leaving these products with a withering market share.

Although there’s not much current demand for the products, there are a surprising number of legacy websites that still rely on the aging tech.  That’s why Adobe’s recent end of life announcement for Shockwave is sending ripples of panic through the internet.

Adobe has begun sending out emails to their customers bearing the subject line “Adobe Shockwave Product Announcement” in a bid to give webmasters whose sites are built around the tech time to shift gears. The Shockwave Player will officially be retired as of April 8th, 2019, about a year before another iconic Adobe product called Flash Player is slated to retire.

According to the official announcement, business owners with existing Shockwave Enterprise licenses will continue to receive product support until the end of their current contract.  There will be no renewals.

All that to say, the clock is ticking.  If redesigning your company’s website to migrate away from Shockwave and Flash is something you’ve had on the backburner for a while, it’s time to move it to the front of the queue.  Be sure your IT and web development staff are aware, and plan accordingly.  The end is nigh.

0
Posted on Author Atlantic Computer Services Categories Blog

Faster USB Standard Is Coming But There Are Complications

If you have a need for speed, you’ll be thrilled to know that USB 3.2 is on its way. It offers incredible transfer speeds up to 20GB per second, but there’s a catch that could throw a wrench into the works, or at least make things more complicated. At the most recent Mobile World Congress, it was announced that the new USB 3.2 specification will encompass both USB 3.0 and USB 3.1, which creates three different tiers of speed.

The three speeds include:

  • USB 3.2 Gen 1 will bear the moniker ‘SuperSpeed USB’ and will have transfer speeds of up to 5Gbps
  • USB 3.2 Gen two will be called ‘SuperSpeed USB 10Gbps, and as its name indicates, will offer transfer speeds that are twice that of the Gen 1 product
  • USB Gen 2×2 will be marketed as ‘SuperSpeed USB 20Gbps, with the promised 20Gbps transfer speeds

Of particular interest is the SuperSpeed USB 20Gbps product, marketed as 2×2.  It’s able to provide its impressive transfer rate because it utilizes “two lanes” of 10Gbps data transfer, but only when utilizing Type-C cables.  Fortunately, although Type-C cables got off to a bit of a rocky start, those issues are now a thing of the past. USB-IF is encouraging device manufacturers to copy their SuperSpeed nomenclature in an attempt to minimize end-user confusion.

Despite it being a bit more complicated than is necessary, this is very good news.  Transfer speeds have long been something of a bottleneck, and the new tech (USB 3.2 SuperSpeed Gen 2×2) is a welcome addition to the ecosystem.  Look for it to start being available later this year.

For the time being, there’s nothing to be done, except perhaps to make sure you’ve got a little extra money in the budget to spring for the new tech when it becomes available.

 

0
Posted on Author Atlantic Computer Services Categories Blog

Google Security Device Had A Microphone Nobody Knew About

Google has found itself in hot water for something they claim to be an honest mistake and oversight. Owners of the company’s popular Nest Guard (the centerpiece to their Nest Secure home alarm system) have recently discovered a microphone hidden in the guts of the device.  The microphone wasn’t mentioned in the product’s specification sheet, which has creeped out consumer groups around the country and the world.

Google claims that their intention from the beginning was to incorporate Google Assistant functionality into the design. This of course would necessitate the presence of a microphone, making their failure to mention it nothing more than an oversight. Unfortunately, consumer groups don’t seem to be finding that explanation convincing, which explains the push back the company is suddenly getting.

To be fair, Google Assistant functionality would be a superb addition to Nest Secure, but people should be aware of what precisely they’re getting when they open their wallets and buy a new product.  Especially given the fact that there have been a number of high-profile instances where data captured by microphones embedded in a variety of consumer products has already been mishandled and misused.

It ultimately doesn’t matter how many people would or wouldn’t have made the purchase had they known about the presence of the microphone.  The central issue is that they purchased a product without realizing it could be used to record them.

These days, privacy concerns are increasingly on everyone’s mind and with good reason.  Every day, what remains of our privacy seems increasingly under attack.  Innocent oversight or not, this was an unnecessary invasion of that privacy, and advocacy groups are justified in calling the company out for it.

If you don’t yet own a Nest Secure, but have been considering buying one, be aware.  There’s a microphone embedded in it.

0
1 189 190 191 192