Archives for June 2018

June 29, 2018 by Joseph Martin

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts. The gimmick? Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences. What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font. Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts. Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly. Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view). Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new. They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled. Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Joseph Martin

President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.

June 29, 2018 by Joseph Martin

How many web apps do you have on your phone? Probably a ton. Here’s something you likely didn’t know. Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report :

44 percent of the apps with vulnerabilities place the user’s personal data at risk

70 percent are prone to leak critical information stored on the device

96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device

Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though. The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline. Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity. Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.

Joseph Martin

June 28, 2018 by Joseph Martin

Malicious code can wind up on your PC or phone by any number of roads. Companies do their best to guard the digital passes, but invariably, things get missed and the hackers find a way in. It’s a constant battle, and sadly, one that the good guys are losing.

Recently Google has stepped up its efforts, this time by focusing on Chrome browser extensions installed by third parties. By the end of the year, no extensions will be allowed on Chrome except for those acquired via the Web Store.

James Wagner, Google’s Product Manager for the Extensions Platform, had this to say on the topic:

“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly – and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites.”

It’s a thorny problem, but industry experts broadly agree that Google is taking the right approach here. Beginning in September, Google plans to disable the “inline installation” feature for all existing extensions. The user will instead be redirected to the Chrome Web Store where they’ll have the option to install the extension straight from the source.

Then, in December 2018, the company will remove the inline install API from Chrome 71, which should solve the problem decisively.

Of course, hackers being hackers will no doubt find a way around that, but kudos to Google for taking decisive action here. While browser extensions aren’t a major attack vector, it’s troublesome enough that Google’s attention is most welcome.

It should be noted that one of the indirect benefits of Google’s plan is that it further bolsters the importance of user ratings of extensions. They’re highly visible on the Web Store, so anyone who’s considering installing something has a good, “at-a-glance” way of telling whether the extension is good or a scam. That’s information they wouldn’t get had the extension been installed inline.

Again, kudos to Google!

Joseph Martin

June 27, 2018 by Joseph Martin

More bad news for Intel. Yet another security flaw has been identified in the processors the company makes. This one is so newly discovered that the full technical details have yet to be released. Here’s what we know so far, from a recent Intel announcement:

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch…Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other process through a speculative execution side channel that infers their value.”

In simpler terms, what this means is that a hacker could use this exploit to gain partial cryptographic keys used by other programs running on the target computer.

While related to the recent Spectre and Meltdown security flaws, this one is different in two ways. First, it’s not quite as severe as the formerly discovered flaws in scope or scale. To make use of this, one would require an incredibly exotic attack that would simply be beyond the capabilities of most hackers.

Also, it should be noted that where Spectre and Meltdown impacted dozens of chipsets dating back more than a decade, the “Lazy FP State Restore” flaw only impacts chips beginning at Sandy Bridge.

The other key difference is that the flaw in this case, does not reside in the hardware. That’s good news for businesses of all shapes and sizes, because it means that when Intel and their hardware vendors have a patch ready, it will be quick and relatively painless to install it.

Unfortunately, since the initial discovery of Spectre and Meltdown, a number of variants of those flaws have emerged, and now this new one. It’s unlikely that this will be the last we’ve seen of these types of issues, so if you’re using Intel equipment, brace yourself. There’s likely more to come.

Joseph Martin

June 26, 2018 by Joseph Martin

Change is coming, and not everyone is happy about it. Recently, Google redesigned its G-mail interface, and since then, they’ve allowed their free users to opt into the new changes. G-Suite users may or may not see the option to try the new interface, depending on whether their administrators have enabled the option and made it visible.

The company just announced that beginning in July, 2018, administrators will be required to give all users the ability to opt into the new interface. Then, sometime in September 2018, all users will be switched to the new interface by default, although the option to switch back to the old interface will be available for approximately one month. After that, the option to use the old interface will vanish, and all G-Suite users will only be able to use G-Mail using the new interface.

The company has not made any official announcement regarding users who have free G-Mail accounts. However, most industry insiders expect that given the timetable outlined above for G-Suite users, free G-Mail users can expect an email or other communication from Google about when the option to use the old interface will be going away for good. Ultimately, Google means for everyone to use their new interface design, and will certainly enforce that.

Google’s handling of the change has been exceptional. Change comes to us all, and in business, sometimes it can descend at a terrifying pace. Only by slowing things down to a more human scale can you give your employees time to adapt and grow accustomed to the coming change.

Kudos to Google for a job well done, and business owners, take note. Change may be inevitable, but it doesn’t have to be scary. Just give your employees time to get used to the idea.

Joseph Martin

June 25, 2018 by Joseph Martin

It’s the end of the line for Yahoo Messenger. As of July, it will be no more, marking the end of an era.

The announcement comes just six months after AIM (the old AOL messaging program) was shut down. The first major messaging programs from the early days of the internet will soon be a thing of the past.

Users will have six months to download their chat histories from Yahoo Messenger. If they haven’t gotten what they need by then, they’ll lose their chance forever.

It probably won’t come as a major blow to most people. Although it used to be one of the most popular and widely used communications programs, its popularity has slipped markedly in recent years, to the point that there’s little justification in continuing support for it.

The company had this to say on the matter:

“We know we have many loyal fans who have used Yahoo Messenger since its beginning as one of the first chat apps of its kind. As the communications landscape continues to change over, we’re focusing on building and introducing new, exciting communications tools that better fit consumer needs.”

Currently, the company has no direct replacement for Messenger. The closest match would be a group messaging app called “Yahoo Squirrel,” which is currently in beta. Users interested in the new tool can request an invitation at squirrel.yahoo.com.

For the rest of us, Yahoo Messenger’s loss isn’t likely to cause problems from a business perspective. This, along with Microsoft’s retirement of the venerable MS Paint, serves as a reminder that the internet is growing up. Many of the tools we’ve used and taken for granted for years are now fading away. It’s a brave new world.

Joseph Martin

June 24, 2018 by Joseph Martin

Facebook is in hot water again. Recently, the company admitted that while testing a new feature on the site, they inadvertently made public the posts of more than fourteen million users. The incident occurred between May 18th and May 22nd and occurred when Facebook was testing a new “Featured Posts” enhancement.

The goal was that users could selectively make posts visible to everyone. Unfortunately, the error created a situation where any posts users in the test group made were automatically shared to everyone. The company found and corrected the mistake on May 27th, but during the intervening span of days, any posts those users made were set to global visibility. Facebook is currently in the process of contacting the impacted users and asking them to review any posts they made during the impact period.

Chief Privacy Officer Erin Egan had this to say: “To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have. We’d like to apologize for this mistake.”

Unfortunately, this is not the first time in the recent past that Facebook has gotten into hot water over the mishandling of user data. Earlier this year, Facebook CEO Mark Zuckerberg had to testify before Congress when it came to light that the company acknowledged they had improperly shared private information pertaining to tens of millions of its users with Cambridge Analytica, which used the information in an attempt to influence the most recent presidential election.

Even if you’re not a member of the test group, if you use Facebook and made any posts between May 18th and May 27th when the company fixed the bug, it pays to review your posts just to make sure that their visibility has been properly set.

Joseph Martin

June 22, 2018 by Joseph Martin

Another week, another new threat. This time, in the form of a new strain of malware that researchers are calling InvisiMole. The new threat was discovered by researchers at ESET, who found it on a number of hacked computers in Russia and the Ukraine.

While the researchers have yet to trace the software back to the group that developed it, based on the available evidence, the campaign appears to be tightly targeted and highly selective. Only a few dozen computers have been found to be infected, although all impacted systems are both high-profile and high-value.

As for the software itself, it’s a nasty piece of business capable of quietly taking control over an infected system’s video camera and capture audio. This allows them to both see and hear anything going on in the vicinity of the system. Essentially then, InvisiMole turns your computer into a compromised Amazon Echo.

Based on the sophisticated design of the software and the fact that the researchers have yet to be able to trace it back to the source, it’s believed that it has been developed by (or at least in partnership with) an unknown state actor. Although the current campaign is small and highly targeted, given its capabilities, InvisiMole could easily become a much more serious threat.

Even worse, it’s entirely possible that the original developers could lose control of the code, or that some other hacker group could reverse engineer it, causing it to spread far and wide.

Research into the software is still ongoing, and at this point ESET can’t say with certainty how the malicious payload is being delivered to target machines. Of course, at present, there is no antivirus software defense against it. Stay on your guard. You never know who might be watching.

Joseph Martin

June 21, 2018 by Joseph Martin

Big changes are coming from Microsoft starting in July (exact date unknown), and it has potentially dire implications if you’re using some of the company’s older technology.

Microsoft announced that in July, they’ll no longer provide forum-based support for a wide range of products and software, including:

Microsoft Band

Zune

Surface Pro

Surface Pro 2

Surface RT

Surface 2

Microsoft Security Essentials

Internet Explorer 10

Office 2010

Office 2013

Windows 7

Windows 8.1

Windows 8.1 RT

Although the company didn’t cite a specific reason for the change, it seems obvious that this is another move to push people into buying the latest and greatest of the company’s offerings. Unfortunately for them, the announcement has been met with more than a little hostility, and for good reason.

Consider that the company has pledged to continue to support Windows 7 until 2020, and Windows 8.1 (and variants) until 2023. Given that we’re still quite some distance from those EOL dates, closing an important avenue of support for a product the company is still ostensibly supporting seems a bit premature. Nonetheless, there’s no indication at this time that the company has plans to extend the forum support for any of these products beyond July.

In some instances, this won’t prove to be problematic. Few people still use Internet Explorer 10 as anything more than a curiosity, and Zune was never especially popular, so the loss of those forums isn’t likely to cause much backlash. However, in the case of Windows 7 and 8.1, not only has the company pledged support for years to come, but those products are still actively used by a significant minority around the world, and those users aren’t thrilled with the recent announcement.

In any case, given that the company is unlikely to change course, this is all the more reason to make upgrading a priority if you’re still using any of the products mentioned above.

Joseph Martin

June 20, 2018 by Joseph Martin

Cyber-criminals around the world are increasingly focusing their attention on job seekers. According to the security firm Flashpoint, there has been a notable uptick in ploys involving phony job listings that attempt to get job seekers to give up personal information.

Perhaps the biggest surprise is the fact that this is only now becoming a growing threat. After all, from the cyber-criminal’s point of view, it’s low hanging fruit. Job seekers expect that they’ll be asked for all types of personal information when applying for positions, after all.

As long as the criminals take the time to make their offers appear legitimate, most applicants wouldn’t think twice about sending in their resume (complete with physical address and phone number), and then, a bit later in the process, their social security number and other personal and confidential information.

According to Flashpoint analyst David Shear, it’s not just personal information the criminals are after, however. Increasingly, criminals are seeking to engage the services of the people who “apply,” by using them as unwitting money mules, or using them as part of an intricate money laundering scheme.

On top of that, it’s all too easy for the criminal to respond to an applicant’s inquiry with an email containing an attachment (usually a poisoned PDF). Again, since the applicant thinks he (or she) has replied to a legitimate offer for employment, odds are excellent that they’ll open the attachment without hesitation.

At that point, whatever payload the poisoned file contained is installed onto their computer, which can have devastating consequences, depending on the nature of the malware the criminals want to install.

Shear also notes that he and his team have seen an increase in the number of inquiries on the Dark Web asking after compromised business accounts, and offers this explanation as to why: “Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.”

All that to say, job seekers beware. It seems that no low is too low where these criminals are concerned.

Joseph Martin

Contact Info

Navigation