Dec 11, 2017

If you have an HP laptop, you might have a keylogger installed

HP has done it again. They have screwed over their customers by leaving something nasty installed in over 460 of their laptop models. This nasty thing is a keylogger program that can be used by hackers to log your every keystroke allowing them to capture your most sensitive passwords!

This isn't the first time they've done this either! Back in May, security researchers discovered a keylogger hidden in HP's audio drivers. ZeroHedge recently reported about spyware being pre-installed on HP computers as well! How low will these guys stoop to snoop on their customers?

Well, this time the keylogger was found in the touchpad driver.

Via The Hacker News:
A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details. 
The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers. 
Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger "by setting a registry value." 
Here’s the location of the registry key:
  • HKLM\Software\Synaptics\%ProductName%
  • HKLM\Software\Synaptics\%ProductName%\Default
The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually "a debug trace" which was left accidentally, but has now been removed.

Normally to combat bullshit bloatware that hardware manufacturers install by default, I recommend wiping out the OEM operating system and do a fresh install. The problem this time is that the keylogger is contained in the drivers! That means when you go to HP's website to get the correct drivers, the keylogger will still get installed! It's pretty messed up!

I guess you really have two options here:

  • Stop buying HP products
  • Stop using Windows and switch to Ubuntu or some other flavor of Linux
What do you think about this? Let us know in the comments!

Dec 8, 2017

Book Review: Security and Privacy in an IT World: Managing and Meeting Online Regulatory Compliance in the 21st Century

My good friend and mentor (Basically the guy who taught me everything I know about Linux) , Craig MacKinder, recently wrote a book! It is called Security and Privacy in an It World: Managing and Meeting Online Regulatory Compliance in the 21st Century.

MacKinder is the owner of Blueshift Information Systems Inc, has been in the IT industry for over twenty years, and he's probably forgotten more about the business than I may ever know. When he told me that he wrote a book, I was pretty excited about it!

Here is a description of the book from Amazon:
Regulatory compliance has historically been a concern of only a company's legal and finance departments. However, as e-commerce continues to dominate retail both in the United States and abroad, regulatory compliance is now a major area of concern for IT managers, everyone on executive teams, and entire boards of directors. 
Amid a recoiling global marketplace and bigger and more costly cyberattacks, the nexus of "what can our networks do" versus "what are our networks allowed to do" is ever more complex. New privacy regulations coming from some of the closest allies of the United States are increasing the need for all companies doing business online to understand and abide by regulations that are in constant flux. 
On top of these concerns, the U.S. government itself is in a rocky place with domestic politics threatening to stand in the way of business as usual for American companies. How will CEOs navigate this minefield centered around Internet freedom? It will require boardrooms and network managers to focus in partnership on meeting new privacy mandates while also keeping networks safe from cyberattacks and data theft.
MacKinder sent me a copy of the book shortly after it published, and I have to say that I really like it.

It's not a terribly big book, and you can easily read through it in a week or so. It's also written in a manner that is not super technical, and helps give you an easy to follow understanding of the security threats businesses face, as well as the regulatory requirements businesses must adhere to in order to protect client and business data.

It also discusses the politics of IT security and government regulations, and how it impacts global trade and e-commerce. There is also good information about dealing with complex and conflicting Internet regulations.

Overall, I highly recommend this book for IT managers, executives, and board members!

If you are having a hard time getting someone on the executive team to understand the security and regulatory compliance challenges you face as an IT professional, you might consider buying a few copies for them and hand them out as gifts!

Dec 7, 2017

Former FCC Chairman Tom Wheeler Says Ajit Pai is Selling Out Consumers At Behest of ISP's

On Monday we reported that Ajit Pai would not delay their vote to overturn Obama era protections of net neutrality. This was in response to senators requesting that the FCC delay their vote.

One can only assume this is because Ajit Pai is an asshole that doesn't give a shit about consumers, and only the interests of ISP's. One might also speculate that he is probably taking bribes from ISP giants like Verizon and AT&T... I digress...

Anyway, yesterday Pai's predecessor, Tom Wheeler slammed Ajit Pai's plan to eliminate net neutrality. He basically called Pai out for selling out consumers and entrepreneurs at the hands of large ISP's.

Via Ars Technica:
"ISP monopoly carriers have been trying for four years to get to this point," Wheeler said, pointing to a 2013 story in The Washington Post about how telecoms were trying to "shift regulation of their broadband businesses to other agencies that don't have nearly as much power as the FCC." 
Pai's elimination of net neutrality rules, scheduled for a vote on December 14, will also shift consumer protection responsibility to the Federal Trade Commission and forbid state and local governments from writing their own net neutrality rules. 
"It is a classic example of regulatory capture, where the regulatory agency bends to the wishes of those they are supposed to oversee," Wheeler said today during a press conference with US Rep. Anna Eshoo (D-Calif.) and Sen. Ed Markey (D-Mass.).
If you don't think this whole thing stinks, you need to get your nose checked. We are all on the brink of losing the ultimate freedom humanity has ever created, and it's all about money.

What do you think of Ajit Pai, or his plans to kill net neutrality? Let us know in the comments!

Dec 6, 2017

Over 31 Million Ai.type user's info leaked in massive data breach

Researchers from Kromtech Security center have discovered that personal information from around 31 million users have been leaked online due to a security vulnerability in the popular smartphone keyboard app Ai.type. The data was found online and can be accessed by anyone without a password.

Via The Hacker News:
Founded in 2010, Ai.type is a customizable and personalizable on-screen keyboard for mobile phones and tablets, with more than 40 million users worldwide. 
Apparently, a misconfigured MongoDB database, owned by the Tel Aviv-based startup AI.type, exposed their entire 577 GB of the database online that includes a shocking amount of sensitive details on their users, which is not even necessary for the app to work. 
"...they appear to collect everything from contacts to keystrokes."
The leaked database of over 31 million users includes:
  • Full name, phone number, and email address
  • Device name, screen resolution and model details
  • Android version, IMSI number, and IMEI number
  • Mobile network name, country of residence and even user enabled languages
  • IP address (if available), along with GPS location (longitude/latitude).
  • Links and the information associated with the social media profiles, including birth date, emails, photos.
"When researchers installed Ai.Type they were shocked to discover that users must allow 'Full Access' to all of their data stored on the testing iPhone, including all keyboard data past and present," the researchers say.
If you are an Ai.type user, it's already too late, but I'd still uninstall it if I were you...

Dec 5, 2017

Mining Bitcoin on a 55 year old IBM mainframe works worse than expected

I ran into an interesting blog post today where a guy named Ken Shirriff decided to test what would happen if you mined Bitcoin on a 55 year old IBM 1401 mainframe! If you think he was able to really crank out hashes on that old giant monstrosity using punch cards and assembly language, well... you would be wrong.

Via www.righto.com:
The IBM 1401 can compute a double SHA-256 hash in 80 seconds. It requires about 3000 Watts of power, roughly the same as an oven or clothes dryer. A basic IBM 1401 system sold for $125,600, which is about a million dollars in 2015 dollars. On the other hand, today you can spend $50 and get a USB stick miner with a custom ASIC integrated circuit. This USB miner performs 3.6 billion hashes per second and uses about 4 watts. The enormous difference in performance is due to several factors: the huge increase in computer speed in the last 50 years demonstrated by Moore's law, the performance lost by using a decimal business computer for a binary-based hash, and the giant speed gain from custom Bitcoin mining hardware. 
To summarize, to mine a block at current difficulty, the IBM 1401 would take about 5x10^14 years (about 40,000 times the current age of the universe). The electricity would cost about 10^18 dollars. And you'd get 25 bitcoins worth about $6000. Obviously, mining Bitcoin on an IBM 1401 mainframe is not a profitable venture...
...Implementing SHA-256 in assembly language for an obsolete mainframe was a challenging but interesting project. Performance was worse than I expected (even compared to my 12 minute Mandelbrot). The decimal arithmetic of a business computer is a very poor match for a binary-optimized algorithm like SHA-256. But even a computer that predates integrated circuits can implement the Bitcoin mining algorithm. And, if I ever find myself back in 1960 due to some strange time warp, now I know how to set up a Bitcoin network.
Ken went on to say that he didn't actually mine real Bitcoin using this museum computer, but he did actually create and run the SHA-256 algorithm on the IBM 1401, showing that mining is possible in theory. He verified that he was able to find a successful hash by comparing it against one that had already been mined.

Line printer and IBM 1401 via righto.com
Even though it doesn't really make any sense to try and attempt mining on such old hardware, this little experiment is kind of fun an interesting in my opinion.

What do you think? Let us know in the comments!

Dec 4, 2017

FCC Chairman Ajit Pai basically tells net neutrality supporters they can eat a bag of dicks

FCC Chairman, Ajit Pai (Asshole)
OK, to be perfectly honest, the title of this blog post is not an exact quote. FCC Chairman, Ajit Pai did not actually tell net neutrality supporters that they can eat a bag of dicks, but he might as well have.

According to our last blog post, 28 senators were asking the FCC to delay their vote on repealing net neutrality regulations implemented by the Obama administration. Well, Ajit Pai said they will not be delaying the vote, and also said net neutrality supporters are "desperate".

Via Ars Technica:
The Federal Communications Commission will move ahead with its vote to kill net neutrality rules next week despite an unresolved court case that could strip away even more consumer protections. 
FCC Chairman Ajit Pai says that net neutrality rules aren't needed because the Federal Trade Commission can protect consumers from broadband providers. But a pending court case involving AT&T could strip the FTC of its regulatory authority over AT&T and similar ISPs. 
A few dozen consumer advocacy groups and the City of New York urged Pai to delay the net neutrality-killing vote in a letter today. If the FCC eliminates its rules and the court case goes AT&T's way, there would be a "'regulatory gap' that would leave consumers utterly unprotected," the letter said.
Sorry folks, there will be no delay. Hopefully Pai is right and the FTC can protect consumers from broadband carriers without regulations, but I wouldn't hold my breath!

What do you think about this? Let us know in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam