Office Depot And OfficeMax Find Malware That Isn’t There

Sometimes we are rebuilding a RAID array or replacing a BIOS chip and we wonder how ordinary people keep their computes running. Then we realize that most of them come to someone like us for help. But what if you don’t have a family member or friend who is computer savvy? No problem! Plenty of stores — including big box office stores such as Office Depot and OfficeMax — will be glad to help you. Why most of them will be willing to test your computer for free. Sounds nice until you find out that at least in some cases these tests were showing problems that didn’t need fixing so users would pay for services they didn’t need. The Federal Trade Commission (FTC) has fined Office Depot (who owns OfficeMax) $25 million and plans to use the funds to issue refunds. In addition, a vendor, Support.com, will pay $10 million to support the refunds.

The free check used software to detect problems on a PC. However, during the scan the user is asked if their computer has any of the following symptoms. For example, if their PC has become slow or frequently reboots. If you said yes to any of these questions, the software would produce a report claiming to have found evidence of malware and offering fixes that could cost significant amounts of money even if there was no other evidence.

Continue reading “Office Depot And OfficeMax Find Malware That Isn’t There”

Would You Like To Play a Game? WOPR Summit is This Weekend

During the summer months it might be known as “America’s Playground”, but around this time of year, Atlantic City is generally the destination of choice for bus loads of seniors looking to burn up some of that fixed income. Of course, that was before the WOPR Summit came to town. From March 1st to the 3rd, it promises to transform Bally’s Hotel and Casino on the famous Atlantic City Boardwalk into a high-tech oasis in a sea of oxygen tanks and walkers. There might not be any fun in the sun to be had at this time of year, but a full schedule of talks and workshops covering everything from penetration testing to ham radio is more our speed anyway.

There’s still a couple days to register for WOPR online at a discount, but naturally they’ll be happy to take your money at the door if you miss the cutoff. As of this writing, there’s even still rooms left at Bally’s for the special WOPR rate, which you’ll probably want to take advantage of as the schedule has events running until well past our normal bedtime.

WOPR looks like it will be a nice mix between hardware and software, with a generous sprinkling of InfoSec. Presentations such as “Strategies for your projects: Concept to Prototype” and “Being Q. — Designing Hacking Gadgets” sound like classic Hackaday fare. But even if you aren’t normally into the security scene, talks such as “Ham Hacks: Breaking into Software Defined Radio” and “An Introduction to IoT Penetration Testing” seem like they’ll be an excellent way to cross the divide. In between the talks, they promise to have a hackerspace up and running for you to check out, complete with soldering classes and contests.

It’s not often that you get to witness the birth of a new hacking conference, especially one on the East Coast, so Hackaday will be shaking off the last bits of our long winters nap as I catch the next bus out of the Senior Center that’s headed towards the Boardwalk. Track me down and you might even be able to take some of our Jolly Wrencher stickers home along with your slot machine winnings. But even if you can’t make it to America’s rather chilled and blustery playground this weekend, I’ll be sure to report on all the highlights so you can live vicariously through the comforting flicker of your favorite screen.

Cybersecurity and Insurance

Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.

The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.

It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.

Continue reading “Cybersecurity and Insurance”

E-Mail Service Claims it Doesn’t Store Your Mail

There have been many news stories lately about companies misusing your data, including your e-mails. What’s more, these giant repositories of data are favorite targets for hackers. Even if you trust the big corporations, you are also betting on their security. Criptext claims they have (possibly) the most private e-mail service ever. It uses the open Signal protocol and stores private keys and encrypted mail only on your device. All the applications to access your mail are open source, so presumably, someone would eventually spot any backdoors or open holes.

At the moment the service is free and the company reports that even when a paid offering is ready, there will still be a free tier. Of course, you can send and receive normal e-mail, too. You can also use a passphrase you send to someone else (presumably not by e-mail) so they can read an encrypted message.

Continue reading “E-Mail Service Claims it Doesn’t Store Your Mail”

Screaming Channels Attack RF Security

As long as there has been radio, people have wanted to eavesdrop on radio transmissions. In many cases, it is just a hobby activity like listening to a scanner or monitoring a local repeater. But in some cases, it is spy agencies or cyberhackers. [Giovanni Camurati] and his colleagues have been working on a slightly different way to attack Bluetooth radio communications using a technique that could apply to other radio types, too. The attack relies on the ubiquitous use of mixed-signal ICs to make cheap radios like Bluetooth dongles. They call it “Screaming Channels” and — in a nutshell — it is relying on digital information leaking out on the device’s radio signal.

Does it work? The team claims to have recovered an AES-128 key from 10 meters away. The technique reminds us a bit of TEMPEST in that unintended radio transmissions provide insight into the algorithm the device applies to encrypt or decrypt data. Most (if not all) encryption techniques assume you can’t see inside the “black box.” If you can, then it’s because it is relatively easy to break the code.

Continue reading “Screaming Channels Attack RF Security”

3D Printing, Cybersecurity, and Audio Fingerprinting

We all understand the risk of someone taking over our computers or phones for nefarious purposes. But remote access to printers and fax machines was something most people took a little less seriously. After all, you might get some obscene printouts or someone wasting some paper, but in general, those are not big deals. Some researchers however have lately been pondering what might happen should someone break into your 3D printer. Of course, you could bring a printer down to deny service, or cause things to malfunction — maybe even in ways that could be dangerous if the printer didn’t have sufficient safety features. But these researchers are more crafty. They are studying how you know what you’ve printed hasn’t been subtly sabotaged. They also think they have an answer.

If you are printing another Benchy at home this probably isn’t a real concern. However, according to the paper, 3D printing now accounts for over $6 billion of revenue with 33.8% of all parts having some function. This includes a recent FAA approval for a 3D-printed fuel nozzle for a jet engine. So indulge us in a little science fiction. You are about to fly your drone to take video of an important social function. You are worried about one of your props, so you 3D print a new one. Too bad your competitor has hacked your computer with a phishing e-mail and modified your STL files so that the new prop will have built-in weak spots internally. The prop will look fine and you’ll be able to install it. But it is going to fail right when you are taking those critical shots.

Continue reading “3D Printing, Cybersecurity, and Audio Fingerprinting”

Harmony Hub Hacked and Patched

When we say “hack” here we most often mean either modifying something to do something different or building something out of parts. But as we build more Internet-connected things, it is worthwhile to think about the other kind of hack where people gain unauthorized access to a system. For example, you wouldn’t think a remote control would be a big deal for hackers. But the Logitech Harmony Hub connects to the Internet and runs Linux. What’s more is it can control smart devices like door locks and thermostats, so hacking it could cause problems. FireEye’s Mandian Red Team set out to hack the Harmony and found it had a lot of huge security problems.

The remote didn’t check Logitech’s SSL certificate for validity. It didn’t have a secure update process. There were developer tools (an SSH server) left inactive in the production firmware and — surprisingly — the root password was blank! The team shared their findings with Logitech before publishing the report and the latest patch from the company fixes these problems. But it is instructive to think about how your Raspberry Pi project would fare under the same scrutiny.

In fact, that’s the most interesting part of the story is the blow-by-blow description of the attack. We won’t spoil the details, but the approach was to feed the device a fake update package that turned on a dormant ssh server. Although they started by trying to solder wires to a serial port, that wasn’t productive and the final attack didn’t require any of that.

We’ve looked at some ways to harden Linux systems like the Raspberry Pi before, but honestly, it is an ongoing battle. We’ve seen plenty of devices with cybersecurity holes in them — some not found by good guy hackers first.