May 1, 2019

Keeping your data safe when traveling

By Maria Varmazis

Our whole lives and livelihoods are wrapped up in our data.

That data is especially vulnerable at border crossings and in unfamiliar environments.

There are plenty of security products available on the internet for the privacy-minded traveler – if you feel like going shopping, a quick search will turn those up for you.

And if you really want an excuse to travel with a laptop and phone that you’ll acquire solely for your trip and then dispose of when you leave, you certainly can, but most people won’t.

But here are some tips you can use without spending tons of money on extra security gear.

Getting there – keep it encrypted, and travel light

If you need to bring data with you, make sure it’s encrypted with full disk encryption, and that your computer is turned off – not merely on standby – so that there are no encryption keys left in memory.

Keep in mind that border officials in some countries can require you turn on and unlock your devices, and they may be allowed to make and keep copies of your data, as a condition of entry.

If you refuse you might be denied entry, or even detained. So think of encryption more as protection from data loss should your hard drive or machine be stolen or physically lost.

Read more at https://nakedsecurity.sophos.com/2019/05/01/keeping-your-data-safe-when-traveling/

Millions of consumer smart devices exposed by serious security flaw

By John E Dunn

A security researcher has discovered severe flaws in an Internet of Things (IoT) software feature called iLnkP2P, which renders the millions of consumer devices using it vulnerable to remote discovery and hijack.

Publicized by Paul Marrapese, neither iLnkP2P nor the Chinese company that developed it, Shenzhen Yunni Technology, will be familiar names to the people buying the products containing it.

Despite this, iLnkP2P was identified in at least two million devices made by companies including HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.

The software’s purpose is to allow IoT devices such as security webcams, baby monitors, and smart doorbells to be configured quickly without having to know how to open ports in a broadband router’s firewall.

Instead, consumers can power on their new device and instantly connect to it in peer-to-peer (P2P) fashion using an app on their computer by entering a Unique Identifier (UID). Nice and easy to use but not, it turns out, a good architecture from a security point of view.

The flaws

The main iLnkP2P flaw is CVE-2019-11220, which for understandable reasons Marrapese doesn’t dwell on but he says allows attackers to carry out man-in-the-middle attacks and steal device passwords on the way to a device takeover.

However, it’s the second flaw, CVE-2019-11220, that allows attackers to discover which devices are vulnerable to the above weakness and reach out to them even when they’re on the other side of an apparently secure firewall using Network Address Translation (NAT).

Read more at https://nakedsecurity.sophos.com/2019/05/01/millions-of-consumer-smart-devices-exposed-by-serious-security-flaw/

Diabetics are hunting down obsolete insulin pumps with a security flaw

By Lisa Vaas

Eight years ago, thanks to 10-year-old code that failed to use encryption to conceal the content of its wireless transmissions, security researcher Barnaby Jack successfully hacked a Medtronic insulin pump and proved it’s feasible to poison a diabetic wearer with a potentially lethal overdose.

If diabetic equipment hackers cared about money, that security flaw would now be worth more than gold. But they don’t.

What the community of people devoted to hacking their way to better diabetes management through homemade, closed-loop systems care about is helping themselves, loved ones and each other to climb over the lag in Federal Drug Administration (FDA) approval of such systems.

Medtronic hasn’t sold those flawed pumps for years. You can still get them, though, and an army of people dedicated to hacking insulin pumps has arisen to source them wherever they can find them, including on an underground market for medical devices that exists in places like eBay, Craigslist, or Facebook.

This is nothing new. Hackers first realized they could exploit the security flaw for a DIY diabetes revolution back in 2014. And on Monday, The Atlantic published a comprehensive look at how they’re hunting down the obsolete, security flaw-ridden devices, which can be used to create artificial pancreases because they’re so conveniently hackable.

DIY pancreas

The pancreas of a Type 1 diabetic doesn’t produce insulin, or doesn’t produce enough, to keep blood sugar levels under control. That lack of control will eventually lead to death if the hormone isn’t administered manually, whether it be through multiple daily injections or via insulin pumps that do it automatically and continuously, feeding a steady drip of insulin through thin, disposable tubing that’s inserted under the skin.

Read more at https://nakedsecurity.sophos.com/2019/05/01/diabetics-are-hunting-down-obsolete-insulin-pumps-with-a-security-flaw/

Mystery database exposes data on 80 million US households

By Lisa Vaas

Here’s a database riddle: what kind of service collects data on 80 million US households, but only people over the age of 40, and includes their name, birthdate, gender, income, homeowner status, map coordinates, whether they’re married (but not how many children they may have), and dwelling type (but not their social security number)?

Give up? So did the security researchers who stumbled on an open database with all that data. That’s why they asked for help in trying to figure out who the database might belong to.

Noam Rotem and Ran Locar, VPNMentor researchers, found the unidentified, open database, along with its 24GB worth of records, hosted on a Microsoft cloud server.

The database contained loads of detailed information that could be used in a number of ways, many of them not good, including being put to use by identity thieves or phishers. Just knowing your name and city are enough to run a comprehensive search, Rotem and Locar said – one that could return company websites, personal blogs or websites, social media profiles like Facebook, Instagram, and Twitter, and whatever local media you may be featured in.

Read more at https://nakedsecurity.sophos.com/2019/05/01/mystery-database-exposes-data-on-80-million-us-households/

Crooks using hacked Microsoft email accounts to steal cryptocurrency

By Danny Bradbury

Microsoft email accounts hijacked last month are being used by criminals to steal cryptocurrency.

Motherboard reported attacks on Microsoft emails earlier in April that allowed hackers to read users’ content. It found several victims this week who said that the attackers had used their email to compromise their cryptocurrency exchange accounts and empty their funds.

One such victim, Jevon Ritmeester, claims to have lost just over one bitcoin as a result of the hack after its perpetrators compromised his account at cryptocurrency exchange Kraken.

Posting in the Tweakers technology forum last week, Ritmeester said:

On 08-04 I wanted to see the status of my cryptos. I don’t watch Kraken.com every day, sometimes I don’t even look for months. [Text translated]

When he checked his account, he found that his Kraken password no longer worked, and saw no emails in his Outlook inbox. He only found the telltale password reset emails when he looked in his trash folder.

The criminals had requested a password reset and then hidden the confirmation emails from him by creating an email processing rule. If the rule found specific text in incoming emails, it would forward them to the attackers’ address before deleting it from the local mailbox. That allowed the criminals to reset Ritmeester’s password and empty his account.

Other users on Reddit claimed that the same thing had happened to them. One, Jefferson1337, said that they had lost about $5,000 in cryptocurrency.

Earlier last month, Microsoft confirmed to TechCrunch that some email accounts had been compromised after hackers accessed one of its customer support accounts. According to reports, the hackers could access any email account as long as it wasn’t a corporate-level one.

Read more at https://nakedsecurity.sophos.com/2019/05/01/criminals-used-hacked-microsoft-email-accounts-to-pilfer-cryptocurrency/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation