May 28, 2019

Serious Security: Don’t let your SQL server attack you with ransomware

By Paul Ducklin

If crooks want to sneak into your system, they have quite a few choices.

They could do some serious hacking, using vulnerabilities and exploits to bypass the security checks you already have in place and tricking your servers into running software they’re not supposed to.

Or they could find out how to get in without any low-level jiggery-pokery, using an official entrance and using official system commands.

That’s a bit like taking a taxi to a bank robbery instead of using a stolen car – it’s not a very gangster thing to do, but you won’t trigger any licence plate cameras on the way.

As regular readers will know, one of the popular vehicles for malware crooks at the moment is Windows RDP, short for Remote Desktop Protocol.

Sadly, we’ve written many times in recent years about RDP security lapses that allow crooks to come into your network as if they were real sysadmins…

…except that instead of fixing things, they break them instead, and then demand money to make good the damage.

But RDP isn’t the only popular way in for crooks.

We recently published honeypot research looking at SSH attacks, where SSH stands for Secure Shell, a remote access system that’s even more widely used on Linux and Unix than RDP is on Windows.

(SSH is also popular on Windows servers, but doesn’t have the close-to-100% adoption that it does on their Unixy cousins.)


Any advance on $1.2m for this virus-infested netbook?

By Danny Bradbury

Can you call malware art? That’s the question up for debate this week as Chinese Internet artist Guo O Dong puts a laptop hosting a collection of viruses up for auction. Well-heeled patrons certainly seem to think its art – bidding had reached a cool $1.2m at the time of writing.

Dong has infected a 2008 Samsung netbook running Windows XP3 with six of the nastiest, most disruptive viruses ever created. You’d think that for $1.2m he could have at least thrown in a desktop computer with a decent GPU.

Some might call it the Netbook of Doom, but he calls the project The Persistence of Chaos. Okey dokey.


Safari test points to a future with tracker-free ads

By John E Dunn

Apple thinks it has come up with a way for advertisers to track how well their ads are doing without (*gasp*) compromising user privacy.

It sounds like a tall order but according to John Wilander, WebKit engineer and architect of Apple’s Intelligent Tracking Prevention (ITP), a technology called Privacy Preserving Ad Click Attribution has been added as an experimental feature to Preview 82+ of the Safari browser.

Nobody doubts the industry has a problem. Advertising keeps websites and advertisers afloat but at the expense of all sorts of privacy-bashing tracking that follows, profiles and gathers as much data about users as it can using cross-site tracking.

A lot of web users are fed up with this, hence the popularity of ad blockers and the rise of ad-limiting features in rival browsers such as Firefox.

But according to Wilander, the problem isn’t advertising per se, but the sense that web surveillance has become about not merely understanding what users do but who they are.

The combination of third-party web tracking and ad campaign measurement has led many to conflate web privacy with a web free of advertisements.

Undoubtedly true, but arguably a woe the industry has brought on itself. Can privacy and advertising be reconciled?


Batterygate news: Apple to warn users if iOS updates throttle iPhones

By Lisa Vaas

The latest ripple in the years-long, lawsuit-jammed, regulators-aggravating brouhaha known as batterygate: Apple has pledged to warn iPhone owners if an update is likely to slow down their phones.

The UK Competition and Markets Authority (CMA) said on Wednesday that Apple has agreed to “notify consumers in a clear manner” if an iOS update “materially changes the impact of performance management” on an iPhone:

To ensure compliance with consumer law Apple has formally agreed to improve the information it provides to people about the battery health of their phones and the impact performance management software may have on their phones.

The CMA got involved last year, concerned that people might have tried to repair their phone or replace it because they weren’t aware the software update had caused the handset to slow down.

In addition, the CMA said, people couldn’t easily find information about the health of their phone’s battery, which can degrade over time.

What Apple hadn’t told consumers – but which it would later confess – is that in an attempt to work around iPhones shutting off while still showing 30% of battery life, it released iOS 10.2.1, which throttled the CPU performance of the iPhone 6, iPhone 6s and iPhone SE with older batteries.

It all came to a head when hard benchmark data showing the CPU throttling was posted to Reddit.


Google Ad Exchange in data privacy probe

By Lisa Vaas

The Irish Data Protection Commission (DPC) announced on Wednesday that it’s launched a probe into whether Google’s processing of personal data as part of its Ad Exchange is breaching General Data Protection Regulation (GDPR) rules.

The DPC said that the probe was triggered by Dr. Johnny Ryan, among others. Dr. Ryan is the Chief Policy Officer (CPO) of the privacy-focused Brave browser, which was founded by Brendan Eich, the inventor of JavaScript and co-founder of Mozilla.

According to Dr. Ryan,

Google’s DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites [and] is a driver of Google’s $19.9B revenue from ads served on publishers’ websites and relies on broadcasting users’ personal data, unbeknownst to them.

From the DPC’s announcement:

Arising from the Data Protection Commission’s ongoing examination of data protection compliance in the area of personalized online advertising and a number of submissions to the Data Protection Commission, including those made by Dr. Johnny Ryan of Brave, a statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited’s processing of personal data in the context of its online Ad Exchange.

Formal complaint from Brave

In September, Ryan submitted a formal complaint – to both the Information Commissioner’s Office (ICO) in the UK and to the Irish DPC – against Google and a number of other ad technology firms. Joining him in the complaint were Executive Director of the Open Rights Group Jim Killock and Michael Veale of University College London.

The complaint says that Google’s DoubleClick/Authorized Buyers advertising system is leaking personal data of website visitors to thousands of companies, without people being aware, able to consent, nor empowered to do anything about it.


Google stored some passwords in plaintext for 14 years

By Lisa Vaas

Oops, Google said on Tuesday: you know that domain administrator’s tool to reset passwords in the G Suite enterprise product? The one we implemented back in 2005, as in, 14 years ago?

We goofed, Google said. The company’s been storing copies of unhashed passwords – as in, plaintext, unencrypted passwords – all this time.

From a blog post written by Google vice president of engineering Suzanne Frey:

We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards.

Only a small number of enterprise customers were affected, she said, though Google hasn’t put a number on it. People using the free, consumer version weren’t affected. Google’s notified a subset of its enterprise G Suite customers that some of their passwords were stored in plaintext in its encrypted internal systems.

Frey said that no harm came of it, as far as Google can ascertain, and it’s since been fixed:

To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.

How it’s supposed to work

The way Google typically handles passwords is by scrambling them with a hashing algorithm so humans can’t read them. It then stores hashed passwords along with their usernames. Then, both usernames and hashed passwords are encrypted before being saved to disk.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation