October 30, 2018

China hijacking internet traffic using BGP, claim researchers

By John E Dunn

China has been accused of hijacking the internet’s Border Gateway Protocol (BGP) to carry out covert man-in-the-middle surveillance on Western countries and companies.

BGP governs how traffic is routed between subdivisions of the internet known as autonomous systems (AS). It ensures that traffic reaches the correct servers – meaning messing around with it is bad news.

Usually, proving what’s been going on with hard technical evidence is extremely difficult when nations are accused of nefarious internet activities.

That should be true for BGP hijacking too, where deliberate attacks can be hard to distinguish from innocent router misconfiguration.

However, the authors of ‘China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking‘ say they analysed data from a special route-tracing system hosted at the University of Tel Aviv that is capable of detecting unusual patterns of BGP ‘announcements’.

Since 2016, this helped them pick up a series of unusual routing events that they believe were too consistent in their duration and scale to be dismissed as accidents.

But what is BGP hijacking anyway?

The infamous illustration would be Pakistan Telecommunication Authority’s (PTA) 2008 hijack of YouTube traffic to block a contentious video.

PTA’s poorly executed approach was to try to sinkhole all traffic to a subset of IP addresses belonging to Google that gave access to the video in the country.

Read more at https://nakedsecurity.sophos.com/2018/10/30/china-hijacking-internet-traffic-using-bgp-claim-researchers/

Self-driving cars learn (from us) about who to sacrifice in a crash

By Lisa Vaas

You’re crossing a road on a dark night. There’s a self-driving car on course to run you down.

What are the chances that after it (hopefully) detects you, it will make a split-second decision that, if it has to risk killing somebody, it’s you rather than somebody else?

Sure, it sounds like a purely hypothetical twist on the famous ethical thought experiment about the trolley, where you have to choose between running over five people on the tracks or reaching out to pull a switch to thereby divert the trolley to a side track where only one person is killed.

However, it’s far from hypothetical. These cars are now being trained to make decisions that are being played out on roadways. Tragically, a decision made by an autonomous Uber car in March ended in the death of 49-year-old Elaine Herzberg. She’s believed to be the first pedestrian killed by a self-driving car.

The fatal choice made by artificial intelligence (AI) in that case was reportedly made because of a software glitch, though already we’re seeing choices made in autonomous vehicle AI training that have more to do with what might seem like trivialities: namely, do we want a smoother ride that’s more prone to ignore potential false positives (bags blowing around, for example, or bushes on the side of the road), or a jerky ride that errs on the side of “that object might be a human”?

Unsurprisingly, answers to the question of who gets to be roadkill differ by culture, as is made evident by a platform called Moral Machine that’s been created by MIT Media Lab and Harvard University, the University of British Columbia in Canada, and the Université Toulouse Capitole in France.

Read more at https://nakedsecurity.sophos.com/2018/10/29/self-driving-cars-learn-from-us-about-who-to-sacrifice-in-a-crash/

“Right to repair” gets a boost from new DMCA software rules

By John E Dunn

The Library of Congress and Copyright Office just made it easier for US owners of a wide range of home devices to hack and repair their software without fear of being prosecuted under the Digital Millennium Copyright Act (DMCA).

Exemptions to the DMCA are considered every three years to allow for adjustments where a convincing case can be made.

From 28 October, the organization has decided that the list of exemptions should now include smartphones, tablets, motor vehicles, and a wide range of home appliances such as smart TVs and voice-controlled speakers. Specifically:

The Acting Register recommended a new exemption allowing for the circumvention of TPMs [technological protection measures] restricting access to firmware that controls smartphones and home appliances and home systems for the purposes of diagnosis, maintenance, or repair.

The expansion has attracted attention on the back of the growing ‘right to repair’ movement that contends that repairing and lawfully unlocking many of today’s consumer devices involves meddling with their software.

However, TPMs such as Digital Rights Management (DRM) can make that a tricky undertaking for anyone trying to stay on the right side of the law.

Exacerbating this is the growing complexity of products that embed proprietary software that can malfunction or limit the use of a device in ways the authorities are having to spend more time thinking through.

Read more at https://nakedsecurity.sophos.com/2018/10/29/right-to-repair-gets-a-boost-from-new-dcma-software-rules/

Call of Duty players caught up in cryptocurrency theft racket

By Maria Varmazis

The FBI recently busted a group of criminals that it believes were stealing cryptocurrency and coordinating their efforts through the first-person shooter game Call of Duty.

According to the Chicago Sun-Times, which has seen the first-hand report from a court filing in Chicago, the FBI alleges that the criminals involved stole more than $3.3 million USD in a variety of cryptocurrencies, including Reputation and Ethereum tokens and that the thieves coerced other Call of Duty players into joining their criminal activities.

Two men from outside of Chicago say they met the group of cybercriminals looking to recruit more people into their ranks while using the voice chat in Call of Duty.

According to the FBI affidavit, both men said they were forced to join in the criminal activities under threat of being SWATed, which is when someone makes a fake criminal report against their target, spurring heavily-armed law enforcement to descend upon their house, with guns armed and ready. This isn’t a mere prank: At best this is a terrifying ordeal for the victim, and at worst it can turn deadly.

Read more at https://nakedsecurity.sophos.com/2018/10/29/call-of-duty-players-caught-up-in-cryptocurrency-theft-racket/

Researchers exploit Microsoft Word through embedded video

By Danny Bradbury

A group of researchers has found a way to infect computers via Word documents without triggering a telltale security warning. The attack exploits a feature that allows authors to embed video directly in Word files.

Office programs have been subject to embedded malware before, but usually come with warnings. Word macros are a good example. An MS Office document with an embedded macro must ask the user’s permission before it executes, notifying users that macros can be dangerous.

Researchers at online breach and attack platform vendor Cymulate found the vulnerability inside Word’s online video feature, which allows users to embed a reference to a remote video (such as a YouTube video) directly into a document, so that it can be played when opened.

Attackers can pull off the exploit by manually altering the reference to a remote video inside a DOCX file so that it points to some malicious code instead of a video.

A document with a .docx extension is actually a compressed package containing several files and folders comprising the document’s content and metadata. Normally, users don’t see the bits and pieces inside the package because .docx files are opened, interpreted and presented by Word. Under the hood, .docx files are just ZIP archives though, which means they can actually be opened by any zip decompressor (including Windows, which will unzip a DOCX for you if you change the file extension from .docx to .zip and double click on it).

Unzipping a DOCX file exposes the structure of the archive, which contains several folders, including a Word directory where most of the good stuff lies. Inside it is an XML file called document.xml, which contains the code for any embedded videos in the form of HTML iframes.

Read more at https://nakedsecurity.sophos.com/2018/10/29/researchers-exploit-microsoft-word-through-embedded-video/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation