Could an Intel chip flaw put your whole computer at risk?

By Paul Ducklin

Remember the Chernobyl virus, also known as “CIH” after the initials of its author, a certain Mr Chen Ing Hau of Taiwan?

CIH was the first virus that succeeded in directly and deliberately damaging your computer hardware by purposefully reprogramming your BIOS chip with garbage machine instructions.

The BIOS is the chip that contains the low-level software that is the very first thing to run when your computer fires up, so trashing it stopped your PC from loading up at all.

Ironically, the CIH virus didn’t have to find and exploit any security holes – there was generally no formal protection against writing to the BIOS back in those days.

You didn’t need to hold down a special hardware switch, enter a user-selectable password, or update with a cryptographically signed blob of firmware code.

The only protection was a sort of “security through obscurity” system that required a specific but publicly documented sequence of memory accesses and timings to activate BIOS writes.

This was a precaution intended to prevent programming accidents, but not to keep out crooks.

Read more at https://nakedsecurity.sophos.com/2018/04/17/could-an-intel-chip-flaw-put-your-whole-computer-at-risk/

“Privacy is not for sale,” says Telegram founder

By Lisa Vaas

Following the April 2017 suicide bombing on the St. Petersburg metro that killed 16 people, Russia threatened to block Telegram: the encrypted messaging app used to carry out the attack.

The FSB, the successor to the KGB, said in June that the app gave terrorists “the opportunity to create secret chat rooms with a high degree of encryption.”

At the time, Telegram’s founder, Pavel Durov, had resisted handing over the information the government had requested in order to put the app on its official list of information distributors. Durov said at the time that Russian authorities had also asked for the ability to decrypt user messages.

Durov’s argument: What would that achieve, besides prompting Telegram users to move to another app?

If you want to defeat terrorism by blocking stuff, you’ll have to block the internet.

Now, Russia’s made good on its threats. On Friday, the New York Times reported that Roskomnadzor – the Russian communications and technology watchdog – asked the court for the authority to block the app, effective immediately.

It took the court only 18 minutes to approve the request.

Read more at https://nakedsecurity.sophos.com/2018/04/17/privacy-is-not-for-sale-says-telegram-founder/

Gmail’s new ‘Confidential Mode’ won’t be completely private

By John E Dunn

Have you ever wished it were possible to delete an email from a recipient’s inbox days, weeks or months after it was sent?

If so and you’re a Gmail or G Suite user, it looks as if Google might be about to enable this kind of ‘self-destructing’ email feature on its platform.

We only have screenshots from an email sent to G Suite admins last week to go on, but what seems to be in the offing is the ability to set an expiration date for an email in a similar fashion to that already offered by specialist rivals such as ProtonMail.

“Confidential mode” time limits will be one week, one month or a chosen number of years from the moment it is sent, after which the email will disappear from both the recipient’s inbox and the sender’s outbox.

In addition, “options to forward, download or copy this email’s contents and attachments will be disabled” during the message’s lifetime, as will the ability to print it.

Senders will also be able to make recipients authenticate themselves by entering a onetime code sent from Google to a phone number.

Instead of sending a physical copy from one user to another, Confidential Mode will most likely host it on Google’s own servers, simply sending the recipient a link through which to view it.

That way, Google controls access to it and can delete it after the period set by the sender (ditto controlling access through authentication).

This design also makes it possible for a user on any email system to view the message without having to use Gmail (it’s possible Gmail account will be necessary at both ends for authenticated access to work).

Read more at https://nakedsecurity.sophos.com/2018/04/17/gmails-new-confidential-mode-wont-be-completely-private/

WhatsApp image showing drug dealer’s fingerprints leads to arrest

By Lisa Vaas

A dealer had some Class A drugs to sell.

So, he sent out an advertisement for ecstasy on WhatsApp. White, blue, yellow, red: they looked like candy in the photo, sealed in plastic, held out for display on his palm.

Smart drug dealer, right? Much to the chagrin of law enforcement, WhatsApp encrypts messages end-to-end. That means all messages: calls, photos, videos, file transfers and voice messages.

But the pill pusher didn’t consider that his message might end up on a seized phone in the hands of the police. Not did he likely consider a certain piece of evidence captured in that photo: his fingers.

In what the BBC calls a first for police in Wales, the image of a fingerprint helped to identify the man and to bring down an extensive drug-selling ring that could turn out to be larger still as the investigation continues.

Dave Thomas, of South Wales Police’s scientific support unit, called the work “groundbreaking.” He said that the WhatsApp photo helped to secure 11 convictions and to bring down the drug ring’s supply chain.

The middle and bottom part of a couple of fingers were just about visible under the bag of tablets in the image. In a video interview filmed by the BBC, Thomas pointed to the photo to describe how the imaging work was done:

Through some work done by our imaging unit, we enhanced what we could see on here. We did some inverting of the marks, [and] we then looked at the scale, which was another problem for us. We didn’t have a scale. Eventually we came from that with a suspect – main file fingerprints – and we compared them directly against this part of the mark which we could then search and identify the individual, which resulted in a number of arrests and a number of jail terms.

Thomas told the BBC that police are now looking more closely at the photos found on seized phones, in case they too might lead to evidence.

Read more at https://nakedsecurity.sophos.com/2018/04/17/whatsapp-image-showing-drug-dealers-fingerprints-leads-to-arrest/

5 simple tips for better computer security

By Maria Varmazis

Protecting your privacy and securing your home computers is easier than you might imagine. Better security isn’t just for big organizations or the uber-nerds – everyone, regardless of their computer literacy, can take simple steps to better secure their data and their personal devices. Small steps really can make a big impact.

If you’re not sure where to start, here are five tips that will go a long way to keeping you and your information safe.

1. Use unique passwords for every service you use

As tempting as it might be to reuse the same password across various websites (less to remember, less to type, you might be thinking), this is akin to you using the same key for your front door, back door, car, garage, and everything else you want to keep a lock on.

As easy as it might make things for you, it makes things even easier for an attacker to break into all of your accounts. If a hacker manages to grab your password through breaching one site, they get the keys to your entire digital life. That’s why you really want to have a unique password on each and every one of the websites you log in to.

This might sound like a lot to wrangle – “I thought you said these would be easy!” – but this is where technology can really come to your aid. There are many tools available to you, for free, that will generate unique passwords for the websites you use and store those passwords for you so you don’t have to remember them. They’re called password managers, and we’ve written about several of them before.

Many of the password managers on the market will integrate with your browser so you don’t even need to look up or copy/paste the password in, they’ll automatically fill the correct password in for you.

Examples of password managers include 1Password and LastPass, or if you’re an Apple or Google device user you could also try the Apple iCloud Keychain or Google’s Password Vault. Whichever one you choose, the key thing is that it’s easy for you to use. A password manager that works for you is one that takes away the burden of creating (and remembering) unique passwords, so using those passwords becomes a piece of cake. Just make sure you have a super strong, super long password on your password manager!

Read more at https://nakedsecurity.sophos.com/2018/04/17/5-simple-tips-for-better-computer-security/

Traditional firewalls fall short in protecting organizations, says survey

By Maria Varmazis

Even with a firewall in place, nearly a quarter of IT managers don’t know what’s going on with 70% of their network traffic.

That’s one of several key takeaways from a new survey, sponsored by Sophos, that asked IT managers in mid-sized organizations across the globe about how their firewall technology is working for them.

The survey covered IT managers from countries including the US, Canada, France, Germany, UK, Japan, India, South Africa and Australia. Respondents were from organizations ranging in size from 100 to 5,000 employees, in industries spanning several verticals, including technology, retail, manufacturing, professional services, utilities, education, and healthcare.

The survey responses reveal several “dirty secrets” of how traditional firewalls aren’t living up to their old promises, and how they fail to deliver the kind of visibility or responsiveness that organizations need to defend against modern threats.

Of course, visibility is a key component to security, as you can’t control what you can’t monitor. So if a protective measure, such as a firewall, isn’t aiding in providing that network traffic visibility, IT managers find themselves hindered in monitoring and controlling threats, and lagging in mitigation and remediation response times.

When there’s an active threat on the network, lost time means more time for malicious actors or rogue apps to cause damage. Survey respondents said on average each infected computer on their network takes 3.3 hours to identify, isolate, and remediate, so that real cost in time and resources adds up very quickly.

Read more at https://nakedsecurity.sophos.com/2018/04/17/traditional-firewalls-fall-short-in-protecting-organizations-says-survey/

Facebook: 3 reasons we’re tracking non-users

By Lisa Vaas

It should have been an easy question to answer.

It came from Florida Rep. Kathy Castor during the House’s questioning of Facebook CEO Mark Zuckerberg last week, when she asked:

You are collecting personal data on people who are not Facebook users. Yes or no?

There was no yes or no to be had, so she tried again:

You watch where we go. Isn’t that correct?

Zuckerberg’s response:

Everyone has control over how that works.

She wasn’t the only member of the House Energy and Commerce Committee to press the CEO about how much information it collects about both users and non-users. As Castor put it, “It’s practically impossible these days to remain untracked in America,” and it’s led to a “devil’s bargain” in which people are “spied on” and tracked even after they leave the platform.

On Monday, Facebook finally coughed up the answer. It’s no shocker: the answer is yes.

Yes, Facebook tracks both users and non-users across websites and apps, according to a post written by David Baser, Product Management Director.

It does so for three main reasons, he said:

1. To provide its services to the sites or apps;
2. To improve safety and security on Facebook; and
3. To enhance its own products and services.

From the post:

When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook.

Facebook is far from the only online service to do this. Twitter, Pinterest and LinkedIn have similar Like and Share buttons, Google has a popular analytics service, and Amazon, Google and Twitter all offer login features, Baser said.

Read more at https://nakedsecurity.sophos.com/2018/04/18/facebook-3-reasons-were-tracking-non-users/