Tool Easily Breaks Into Locked PCs

Proving once again that you can do a lot of damage with a little investment and a lot of ingenuity, security researcher Samy Kamkar recently managed to take down a locked, password-protected computer armed with only a US$5 Raspberry Pi.

The low-tech cookie-siphoning intrusion is one of Kamkar’s simplest hacks ever. He previously has unlocked car doors, garages, wireless remote cameras and other devices, with MacGyver-like precision.

Kamkar’s latest hack, PoisonTap, uses a Raspberry Pi Zero, a micro SD card, and a micro USB cable or other device that emulates USB, including USB Armory or LAN Turtle.

Windows, OS X and Linux recognize PoisonTap as an Ethernet device, load it as a low-priority network device, and perform a DHCP request across it, even if the computer is locked or password-protected, Kamkar explained.

PoisonTap provides the computer with an IP address. However, the DHCP response tells the machine that the IPv4 space is part of PoisonTap’s local network, rather than a small subnet, he said.

If a Web browser is running in the background, one of the open pages will perform an HTTP request in the background, noted Kamkar. PoisonTap responds with a spoof, returning its own address, and the HTTP request hits the PoisonTap Web server.

When the node Web server gets the request, PoisonTap’s response is interpreted as HTML or JavaScript.

The attacker is able to hijack all Internet traffic from the machine and siphon and store HTTP cookies from the Web browser or the top 1,000,000 Alexa websites.

Robust Sales

Amazon Echo and Google Home were among the most buzzed-about items on Cyber Monday, according to Adobe Digital Insights spokesperson Melissa Chanslor.

In fact, Amazon on Tuesday reported a record-breaking Cyber Monday, with sales of the Echo family of devices up seven times compared with Cyber Monday 2015.

The company sold millions of Alexa-related devices over the Thanksgiving weekend, with the Echo Dot, the Amazon Fire TV Stick with Alexa Voice Remote, the Fire tablet and the Amazon Echo ranking as the best-selling products from any manufacturer across the site, said Dave Limp, senior vice president, Amazon devices and services.

Amazon sold more than 5.1 million Echo devices in the U.S. since the product was launched in 2014, according to a Consumer Intelligence Research Partners report released earlier this month. Approximately 2 million of the estimated 5.1 million devices sold in the first nine months of 2016 alone, with awareness of the device on the rise.

More than 40 percent of Echo users streamed music on the device, and one-third used it to ask Alexa questions, the report shows.

A touchscreen would be a strong addition to the Echo, which operates mainly through voice controls, noted Rob Enderle, principal analyst at the Enderle Group .

“There are times when having something respond visually rather than verbally is more useful,” he told TechNewsWorld. For example, checking news and weather at night, or looking for video, photos or lyrics to go with music, would make voice controlled devices more compelling.

Amazon is selling tablets in the US$30 range to lead into holiday sales, Enderle noted, so the addition of a touchscreen likely would not mean a significant cost increase for the home hub.

A visual option also would help Amazon link Alexa devices to the music store, the retail website and Amazon Fire TV, he added.

 

A Bigger Pie

A touchscreen addition for the Echo would serve to expand the audience of consumers to those who might want mobile device, suggested Michael Jude, a program manager at Stratecast/Frost & Sullivan.

“It will simply extend the Alexa options into the realm of a tablet,” he told TechNewsWorld. “It could be popular with a certain niche that is already hooked on the Alexa voice interface.”

A touchscreen might not be enough to hold back competitors for the digital assistant space, but “the more places Alexa is used, the better for Amazon,” said Jim McGregor, principal analyst at Tirias Research.

Lets Call for Public Systems

The San Francisco Municipal Transportation Authority, or SF MTA, was hacked on Friday.

“You Hacked, All Data Encrypted,” was the message reportedly displayed on computer screens at the authority’s stations throughout the city. “Contact for Key (cryptom27@yandex.com)ID:681 , Enter.”

Fare payment machines at underground stations were out of order, resulting in free rides on the subway and light rail system known locally as “SF Muni.”

Some SF MTA employees’ email systems did not work, The San Francisco Examiner reported.

The MTA locked its subway fare gates in an open position to enable free riding, according to the paper.

The agency was hit by a ransomware attack that disrupted some of its internal computer systems, including email, according to spokesperson Kristen Holland.

The attack didn’t affect transit service or buses, she noted. Neither customer privacy nor transaction information were compromised, and the situation was contained.

All About the DoughA person at the email address provided by the hacker, who identified himself as “Andy Saolis” to the Examiner, demanded 100 bitcoins — equal to about US$73,000 — to release data captured from the MTA.

The MTA payment system was inaccessible over the weekend, according to the Examiner, and employees were concerned that the personal data of the agency’s nearly 6,000 employees was at risk.

Saolis indicated the attack was “for money, nothing else.”

“Andy Saolis” is the name used by the attacker who launched a full disk encryption ransomware package that Morphus Labs discovered earlier this year and dubbed “Mamba.”

 

Open Muni

The MTA’s network was penetrated after an employee downloaded a torrented computer file that contained a software key code generator, Saolis reportedly said. That automatically launched an admin-level infection.

The SFMTA network was very open, he maintained.

Saolis threatened to close the email Monday if he hadn’t heard from the MTA, which would lock the agency’s infected computers out of its network permanently.

“It looks like the Muni scheduling and billing systems are running on the same machines as the employees’ email systems,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

“This implies that the Muni operations are exposed to external attack,” he told the E-Commerce Times.

Muni “should have critical operations and management systems running in a secured environment, ideally one not exposed to outside access,” Jude suggested.

 

The Very Real Public Threat

Penetrations of this sort “can easily escalate to life-threatening events,” Jude warned. “Simply messing with route scheduling could lead to confusion or, possibly, collisions.”

Mass transit and passenger rail systems, including buses, light rail and subways, are one of the seven key subsections in the United States Transportation Systems Sector.

The U.S. Department of Homeland Security, which oversees the sector jointly with the U.S. Department of Transportation, has issued a cybersecurity framework implementation guidance and a companion workbook for owners and operators in the sector to help reduce cyber risks.

 

Keeping Transit Systems Safe

“The threat environment warrants evaluating security controls for any organization that relies on computer systems for providing a service or running a business,” said Tim Erlin, senior director of IT and security at Tripwire.

Ransomware Infiltration

Facebook on Monday denied that its network and Messenger app were being used to spread ransomware to its users, contradicting the claims of Check Point researchers Roman Ziakin and Dikla Barda.

The two researchers last week reported they had discovered a new method for delivering malicious code to machines, which they dubbed “ImageGate.”

Threat actors had found a way to embed malicious code into an image, they said.

Due to a flaw in the social media infrastructure, infected images are downloaded to a user’s machine, Ziakin and Barda explained. Clicking on the file causes the user’s machine to become infected with a ransomware program known as “Locky,” which encrypts all the files on the infected machine. The user then must pay a ransom to the purveyor of the malicious software in order to decrypt the files.

“In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign” the researchers wrote in an online post. “Check Point researchers strongly believe the new ImageGate technique reveals how this campaign was made possible, a question which has been unanswered until now.”

Bad Chrome ExtensionFacebook has disputed Check Point’s findings.

“This analysis is incorrect,” Facebook said in a statement provided to TechNewsWorld by spokesperson Jay Nancarrow.

“There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook,” the company maintained.

“We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week,” Facebook noted. “We also reported the bad browser extensions to the appropriate parties.”

Most social media sites, including Facebook, have protections in place to block spam and dangerous file types, said Marc Laliberte, an information security threat analyst with WatchGuard Technologies.

“This most recent attack bypassed Facebook’s protections by using a specific type of image file that supports interactivity via embedded scripts, like JavaScript,” he told TechNewsWorld. “Facebook has since added the image file type — SVG — used in this attack to their filter.”

 

Cloak of Legitimacy

What makes this attack so devious is that it’s cloaked in legitimacy.

“The JavaScript embedded in the image is not malicious,” explained Alexander Vukcevic, virus labs director at Avira. “It leads you to a website that looks like YouTube.”

At the website, you’re told you need to download a browser extension to watch video at the site.

“The browser extension then downloads the ransomware,” Vukcevic told TechNewsWorld.

Ransomware like Locky has become a big threat to consumers, observed Javvad Malik, a security advocate for Alien Vault.

“Most are not technically savvy to spot or defend against ransomware,” he told TechNewsWorld. “While a lot of effort is put into educating consumers around the dangers of clicking on links in emails or opening attachments, there is an inherent level of trust that people put in social media platforms, which is being abused by this current threat.”

Whats Happen on News Propaganda

A few years back, when it was one company, HP made a huge mistake that cost a number of people their jobs and forced the replacement of many of its board members. The company suffered through some nasty litigation and several top executives almost landed in jail.

The mistake was tied back to something the board authorized, which at the time was called “pretexting.” It also went by the more common term “identity theft.” It is my belief that the board wouldn’t have authorized the effort if it had been told that what the teams planned to do was steal the identities of reporters.

Given how risk-averse boards were, and still are, HP’s directors simply would not have been willing to take the risk, in my view, and much of HP’s pain in the last decade could have been avoided.

Given that Russia is the source for much of it, I now wonder if our use of the term “fake news” as a label — as opposed to the older and more relevant term — isn’t doing us a disservice, by not highlighting the inherently evil nature of the practice.

Fake News is intentionally designed to mislead, and it should be treated like propaganda. Blocking propaganda as a matter of law would be far easier to accomplish than blocking “fake news,” because “fake news” seems more benign than “propaganda” — even though, like “pretexting” and “identity theft,” they are the same thing.

I’ll share my thoughts on that and close with my product of the week: a new Magellan Dash camera that might make a decent gift for those needing to document some of the insane drivers on the road, or catch someone messing with their car.

There Is a Lot of ‘Fake News’Now much of the fake news I currently get on Facebook is simply to get me to click a link, often as part of a process to install some form of malware. Often, these stories have been about the death of a celebrity who hasn’t died, but during the election, much of the fake news surrounded things that weren’t true about Hillary Clinton but that clearly were intended to change my vote. They were attempts to change how I viewed a candidate, in order to elicit a reaction.

Given the nature of the false stories and the fact that polls showed Clinton would win anyway, my belief is that the effort was to impede her ability to govern after she won, and the anticipated disclosure of the effort was designed to do the same thing to Trump.

The sure thing for Russia wasn’t to elect Trump or Clinton, but to ensure that whoever won would have such a cloud hanging overhead that neither could really execute. In other words, Russia wasn’t going after a candidate — it was going after the country.

Beyond the idea that another country could have a material impact either on the election or on the effectiveness of the elected candidate is the frightening fact that it happened in a country that has the tools to formulate a proper response but chose not to use them.

As initial attempts go, this was a powerful one. Given the propagation of ever more intelligent tools to create increasingly more targeted messages, it means a foreign power with adequate funds — like Russia or China — could gain near-absolute control over who gets elected in the U.S. That’s troubling — particularly given that the U.S. developed the tools both to carry out and to defend against such a strategy.

 

Defending Against Foreign Election Control

Clearly, there are free speech and censorship issues with regard to the identification and elimination of fake news, but with analytics, we can identify both trends and the organized manipulation of facts that go viral.

That is why switching from the name “fake news” to the name “propaganda” when a foreign, criminal or terrorist organization is generating this “news” could go a long way toward reducing its impact.

Once it’s identified, there are tools that can explain to people that the news they are seeing isn’t fact-based, and/or source the information so people understand there may be inherent bias.

Fleet to Gather Maps Data

Apple has assembled a group of robotics and data-collection experts who will use unmanned aerial vehicles — that is, drones — to obtain data for updates to its Maps app, Bloomberg reported Thursday.

Apple, Google and others in the cartography space currently collect a lot of their data using motor vehicles equipped with high-tech gear.

“That’s a very expensive and time-consuming process,” said Sam Abuelsamid, a senior research analyst at Navigant Research.

“Doing it with drones provides the potential to gather the same kind of data in a much more cost-effective manner and do it more rapidly,” he told TechNewsWorld.

“Drones allow them to cover more territory faster,” observed Tim Bajarin, president of Creative Strategies.

“It is the most obvious way to help keep road data up to speed at all times,” he told TechNewsWorld.

Drone AloneHowever, drones are no substitute for a fleet of ground vehicles, maintained Tsou, a professor in the geography department at San Diego State University.

“I don’t think drones can replace the ground vehicles since there are many limitations of UAVs,” he told TechNewsWorld. “The viewpoint of drones is very different from a car. For car navigation purposes, the car view is more important than an airplane view.”

There are other disadvantages to using drones for information collecion.

“Most folks recognize a Google Street View car as it drives along the road, and even a Street View pedestrian with the huge camera and backpack is pretty recognizable,” noted Ken Hyers, director of wireless device strategies for Strategy Analytics.

However, “a small drone whizzing around may surprise or irritate folks,” he told TechNewsWorld.

Privacy also will be an issue.

“When a ground vehicle collects this information, it is driving along public roads and can only see what’s visible from the road,” Hyers explained, “but a drone can peek over fences, look in backyards, and into rooms behind balconies.”

 

Indoor Maps

The Federal Aviation Administration earlier this year approved Apple’s request to operate an unmanned aircraft system to conduct data collection, photography and videography.

The approval is subject to a number of conditions and limitations: a drone’s speed can not exceed 87 knots; its altitude is limited to 400 feet; and its flight operations must be kept at least 500 feet away from all persons, vessels, vehicles and structures, with certain exceptions.

In addition, drones must be flown during daylight hours and within eyesight of a pilot licensed to operate a UAV.

Apple also plans to add an indoor navigation features to Maps to help people find their away around high-traffic buildings, such as airport terminals and museums, according to the Bloomberg report. The company likely will use technology gained with two recent acquisitions — Indoor.io and WiFiSlam — for that purpose.

Know Well Galaxy Note7

Samsung’s desire to match the iPhone 7 Plus led it to implement an aggressive design and manufacturing approach that led to problems with its Galaxy Note7 — including some instances of the smartphones bursting into flames — and eventually its global recall, Instrumental reported last week.

Instrumental engineers tore down a Galaxy Note7, and found “evidence in the design of an intellectual tension between safety and pushing the boundaries,” CEO Anna Shedletsky revealed.

Samsung engineers “designed out all of the margin in the thickness of the battery,” she noted.

It “sits within a CNC-machined pocket — a costly choice likely made to protect it from being poked by other internal components,” Shedletsky speculated.

“For something that is innovative and new, you design the best tests that you can think of, and validate that the design is OK through that testing,” she said.

However, battery testing “takes a notoriously long time, and thousands of batteries need to be tested to get significant results,” Shedletsky pointed out. “It’s possible that Samsung’s innovative battery manufacturing process was changing throughout development, and that the newest versions of the batteries weren’t tested with he same rigor as the first samples.”

If the Note7 had not been recalled, “a few years down the road these phones would be slowly pushed apart by mechanical battery swell,” she added.

A rule of thumb is to leave 10 percent of the depth of the battery pocket as a ceiling above the battery to allow for that expansion, but “our two-month-old unit had no ceiling,” said Shedletsky, and “since it breaks such a basic rule, it must have been intentional.”

The Long Road to Adequate Testing

It’s “impossible to test for everything,” said Jim McGregor, principal analyst at Tirias Research.

“You have to consider not only testing the battery but also testing applications and the phone,” he told TechNewsWorld.

Considering how many versions of the Galaxy smartphone Samsung has released and the number of units produced, “this is like comparing the Galaxy Note7 problem to air travel,” McGregor remarked. “While crashes make the headlines, air travel is still one of the safest forms of transportation.”

 

Considering the Bigger Picture

Limitations in battery technology and increasing demands for new displays, wireless interconnects, sensors and processors in ever-shrinking sizes, the industry is “pushing these technologies to the breaking point,” McGregor said.

That will be a problem for all handsets and for wearables in the future, he predicted.

The IEEE has “known for some time that there were several fundamental limiting factors to personal electronics,” observed Michael Jude, a program manager at Stratecast/Frost & Sullivan.

They include “power dissipation, power consumption, and power density — how much juice you can store in a small package,” he told TechNewsWorld.

Battery technology is tricky, Jude said. “A battery is really a controlled chemical explosion. You can have a little power over a long period of time or a lot all at once. Smartphone designers walk a fine line between power consumption and battery storage density.”

 

Competition Can Kill

A smaller battery using standard manufacturing parameters would have solved the swelling and explosion issues, but that “would have reduced the system’s battery life below the level of … the iPhone 7 Plus,” Shedletsky noted. “Either way, it’s now clear to us that there was no competitive salvageable design.”

Various iPhone models had battery problems, but they were “all fixed with a replacement battery,” said Rob Enderle, principal analyst at the Enderle Group.

Project Evo Ups the PC Game

Microsoft and Intel on Wednesday announced Project Evo, their highly anticipated collaboration to create the next generation of personal computers. The project aims to expand on new advances in artificial intelligence, mixed reality, advanced security and gaming,

Terry Myerson, executive vice president of the Windows and Devices Group at Microsoft, unveiled some of Project Evo’s ambitious plans at the Windows Hardware Engineering Community (WinHEC) event in Shenzhen, China.

Through the collaboration, the companies will push the boundaries of a personal computer’s capabilities in the near future, he said. Technologies under development include far-field speech and wake-on-voice enabled through Cortana, biometrics and voice authentication in Windows Hello, spacial audio, and HDR support for gaming.

Project Evo — particularly its expanded use of Cortana — invites comparisons to the digital assistant tools found in Amazon Echo and Google Home, standalone speakers that use Amazon Alexa and Google Assistant respectively. Though their capabilities differ, each uses voice communications to interact with the automated home.

However, Project Evo seems geared toward making the personal computer into a much more sophisticated device — one that can be accessed and operated in ways never before seen.

Home Hub Connection?Essentially, users will be able to wake up a PC, whether it’s open or shut, simply by saying “Hello Cortana.” Through voice commands, users will be able to access the information they need either directly from their personal computing device or from the cloud.

“This is going to make the PC way more intuitive than it is today,” Intel SVP Navin Shenoy, general manager of the Client Computing Group, told WinHEC attendees. “You no longer need to be directly in front of your PC to activate Cortana.”

“There are certainly aspects of Project Evo that are likely to compete directly with Amazon Alexa and Google Home,” noted Charles King, principal analyst at Pund-IT.

However, it’s likely that “Intel and Microsoft are after a fundamentally bigger game,” he told TechNewsWorld.

In the case of Project Evo, the companies are working with much more powerful computing capabilities than Amazon and Google are using with their home hubs.

“Microsoft has the technology in the cloud, not the home,” noted Jim McGregor, principal analyst at Tirias Research.

“The problem is that the PC is not the center of the home or the consumer experience,” he told TechNewsWorld.

While there is room for improving the PC experience, this project is not going to push Microsoft into a direct competition with Amazon, McGregor said.

Passwords Passe

The Project Evo collaboration will provide advanced security to the PC, including biometric authentication using Windows Hello, eliminating the requirement to memorize multiple passwords, Shenoy said.

A major aspect of the collaboration is to provide mixed reality experiences in PCs that are affordable to the average consumer, and also to use head-mounted displays that blend the physical and virtual world in ways not seen before.

Microsoft has submitted its HoloLens to the Chinese government for approval, Myerson announced at WinHEC, and the company expects to make the devices available to developers and commercial customers during the first half of 2017.

Tech Effort to Get Money

One year after a powerhouse group of technology executives and venture capital icons met to form the Breakthrough Energy Coalition, the group, led by Microsoft founder Bill Gates, has launched a US$1 billion investment fund to support clean energy startups around the world.

The Breakthrough Energy Fund, chaired by Gates, is designed to jumpstart an entire new generation of entrepreneurs developing radical new approaches to providing reliable and low-cost energy, with zero carbon emissions as the end goal.

Institutional partners, including the University of California, will help generate research ideas. Strategic partners, including Southern Co. and others, will help the group with regulatory issues, and figure out which companies have the most promise.

In addition to Gates, co-chair of the Bill and Melinda Gates Foundation, the Breakthrough Energy Coalition’s board members include John Arnold, co-chair of the Laura and John Arnold Foundation; John Doerr, chair of Kleiner, Perkins, Caufield & Byers; and Vinod Khosla, founder of Khosla Ventures.

 

Star Power

Other leading members include Jack Ma, executive chairman of Alibaba Group; Mukesh Ambani, chairman and managing director of Reliance Industries; Hasso Plattner, cofounder of SAP; Jeff Bezos, founder and CEO of Amazon; and Reid Hoffman, founder of LinkedIn.

Former New York Mayor Michael Bloomberg recently joined the investor group, bringing the membership to 21, Gates said.

“Breakthrough technologies … have the potential to be one of the best investment opportunities of the 21st century,” Doerr said earlier this week, in a conference call with reporters.

The fund will invest in a wide variety of companies — storage, transportation, agricultural, electrical generation and industrial, among others. The fund will offer a range of financing, from seed capital to early stage investment and capitalization.

The fund will take advantage of a lot of lessons learned about financing clean energy companies, and apply those lessons to the new venture, Doerr said.

The fund will emphasize taking a “long, patient view” toward investment, in order to give companies enough time to properly develop, Khosla said during the conference call.

The fund will be able to handle seven-, eight- and nine-figure investments, Arnold added, and it will focus on revolutionary versus evolutionary investments — that is, those designed to push aggressively toward significant emission reductions.

“While there might be long-term business gains, I personally believe that this is part of [Gates’] philanthropic work to improve overall human conditions, particularly for the next generation,” observed Farah Saeed, principal consultant at Frost & Sullivan.

“Also, there is the attraction of using technology to resolve existing issues around improving affordability and vast availability of clean energy,” she told TechNewsWorld.

 

DoE Support

U.S. Department of Energy Secretary Ernest Moniz hailed the launch of the new fund as a breakthrough that will help push the U.S. into greater standing in the clean energy field, and he warned against the dangers of rolling back this progress.

Are You Still Stalking Customers

The controversy over Uber staff using the company’s tech to track people’s movements was reignited this week when information in a pending lawsuit began circulating in the tech press.

Uber employees can pull customer data at will, alleged Ward Spangenberg, the company’s former forensic investigator, in a court declaration filed earlier this fall as part of his bid to prevent the firm from forcing his case into arbitration.

Uber staffers have been able to track high-profile politicians, celebrities and ex-significant others, Spangenberg said.

His original complaint, filed in the Superior Court of California in San Francisco, centers on his dismissal from the company.

Uber continues to allow broad access to users’ trip information, five security professionals formerly employed at the company told Reveal.

That has been going on, they said, in spite of Uber’s assertions two years ago that it had policies prohibiting such actions, following news that executives were taking advantage of its “God View” feature to track customers in real time without their permission.

Uber’s Side of the Story”It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval,” maintained Uber spokesperson Sophie Schmidt.

“We have built entire systems to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs,” she told TechNewsWorld. “This could include multiple steps of approval — by managers and the legal team — to ensure there is a legitimate business case for providing access.”

Access is granted “to specific types of data based on an employee’s role,” Schmidt asserted. All data access is logged and routinely audited, and all potential violators are “quickly and thoroughly investigated.”

Uber employees must acknowledge and agree to the company’s data access policy, CIO John Flynn emphasized in a memo sent earlier this week.

Violators have been terminated, he reminded them.

“We want our security and privacy practices and technology to be world-class, and we’re moving quickly toward that goal,” Flynn said. It’s “the responsibility of each and every one of us to protect” customer and driver data.

However, Uber’s defense in the Spangenberg case relies mainly on procedural issues.

“It’s not logical for any company to proclaim that they are secure because they sent an email telling employees what to do,” remarked John Gunn, VP of communications at Vasco Data Security.

“In the real IT world you don’t need these types of emails, because you’ve implemented limitations on access to sensitive data [that] you monitor and enforce,” he told TechNewsWorld.

 

The Need for Privacy

The latest revelation follows news that Uber has tracked customers even after they left its vehicles.

Uber “needs to come clean on whether [the privacy violations] occurred … and needs to have full disclosure of how it uses customer data,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

Frost’s research “indicates that people take personal security very seriously,” he told TechNewsWorld.