Two researchers appear to have discovered a serious flaw in USB. This isn’t just your everyday virus. Malware planted using this flaw is not merely stored on the flash memory itself; it’s actually in the firmware that the drive depends on to run. One article blames the flaw on the USB Implementers Forum, which supports and promotes the USB specification. The flaw is able to spread from a USB flash drive to a computer and vice versa.
Until device makers come up with a fix, Nohl, one of the two researchers, proposes a short-term solution: Don’t connect untrusted USB drives to your computer, and don’t connect your USB drives into untrusted computers.
Simple enough, right? Even before this flaw was discovered, Nohl’s suggestion would have been sound advice; untrusted computers can plant more run-of-the-mill malware on your drive or tamper with your files. But the fact that the article describes Nohl’s suggestion as a “fundamental change in how we use USB gadgets” reflects on how most of us in fact use our USB flash drives. This is unsurprising, considering how convenient it is to carry our files around from one computer to another, but it is also an attitude that should be reexamined, particularly in light of these latest discoveries.
The 3 Threats
Last week, a group of researchers released a paper detailing 3 major new threats to online privacy:
1. Canvas fingerprinting: This basically involves telling your browser to draw an invisible image. It is done in such a way that each browser is likely to draw the image slightly differently. This allows the site to identify your browser.
2. Evercookies: The site uses data stored in alternative vectors to respawn deleted http cookies. Such vectors include Flash cookies, localStorage, and IndexedDB.
3. Cookie Syncing: This is the practice of two or more sites sharing a user identifier with each other, allowing the sites to combine their respective databases with each other to build a more detailed profile of their users’ browsing history.
These methods are far more difficult to defend against than the use of traditional http cookies, which are easily deleted. Continue reading 3 Major New Threats to Online Privacy
Update (September 7, 2014): Today, I updated a computer to Java 8 Update 20. This time, I know for a fact that the boxes that lead to installation of an Ask program and change my home page settings were checked by default. Here’s what the installer for Java 8 Update 20 pops up:
Guess what? They changed the word “Toolbar” to “Search App”. Is that supposed to make the program more palatable? Giving the program a different name doesn’t change its nature. Nor does it change the fact that it’s an opt out, rather than an opt in third-party program.
My original post (July 26, 2014):
Last week, I was updating Java on a computer when I got the following pop-up. Although I’m not 100% certain, I believe the box next to “Install the Ask Toolbar in Internet Explorer” was checked, thus installing a toolbar into the browser of any unwary user. This situation is not news; Oracle has been doing this for over a year already. Nevertheless, I thought I’d take a moment to remind everyone not to click those “next” buttons in program installers without reading what you’re agreeing to.
Many companies, including large and well-known ones, bundle third-party programs into the installers for their own software. When you’re updating a program, how often do you read through every prompt Continue reading Watch Out for Bundled Third-Party Software
2 days ago, Avast made a post on their blog describing their successful efforts to recover data from 20 old phones that they bought from eBay. Some details of their forensic analysis of the phones were provided the next day. Avast describes the inadequacy of deleting files “the regular way” and plugs its own app, which it claims allows the secure deletion of files. When Avast mentions deleting files “the regular way,” they simply mean Continue reading An Overview of Secure Data Deletion
According to threat intelligence firm CloudStrike, Chinese cyber spies have been targeting think tanks, ostensibly to obtain information on the potential disruption of Chinese oil interests in Iraq. Spear-phishing, the act of sending an e-mail tailored to a specific individual (as opposed to e-mails sent out en masse to many different individuals, which is simply “phishing”) to fraudulently induce them to give away personal information such as their e-mail password, is hardly a new tactic; nor is the Chinese government the only group which has been accused of using it. In February 2014, the Syrian Electronic Army hacked into Forbes using the same tactic. In many cases, the true perpetrator of an attack is unclear, especially when Internet traffic is routed through the accused country.
I’m going to leave the finger-pointing to governments and the private firms that investigate such attacks. I will instead focus on how you can protect yourself against such attacks. While Continue reading How to Protect Yourself Against Spear-Phishing
I recently came across a random comment in a Youtube video listing a phone number purportedly belonging to Gmail technical support. I have redacted the last 5 digits of the number so that nobody calls this number by accident: 1-855-23_-____
I was never going to call this number, but I was curious about it and wanted to investigate further. I know from personal experience how difficult it is to reach Google for any kind of technical support, so I was highly skeptical of the idea that they would have a dedicated support line Continue reading Beware the dangers of Vishing
Sometime in late May, TrueCrypt’s homepage began redirecting users to a Sourceforge page. As of this moment, the Sourceforge page says that the development of TrueCrypt has ended and that the program may not be secure. The only version of TrueCrypt offered at the page now (7.2) is a crippled version that only has the ability to decrypt files.
There was much speculation as to the reason for TrueCrypt’s demise, ranging from its site being hacked to the desire of the developers to call it quits. At this point, Continue reading TrueCrypt: What happened? Who cares? What’s next?