May 30, 2019

A million devices still vulnerable to ‘wormable’ RDP hole

By Danny Bradbury

An internet-wide scan has revealed almost one million devices vulnerable to BlueKeep, the Windows vulnerability that has the security community on high alert this month.

BlueKeep is better known as CVE-2019-0708, a vulnerability that Microsoft announced in its May Patch Tuesday release that affects Windows Remote Desktop Services, accessible via the RDP protocol. It allows for remote code execution and is wormable, meaning that a compromised Windows machine could seek out and infect other vulnerable devices with no human interaction. Worms can spread quickly online, as we saw with the WannaCry ransomware exploit in 2017.

BlueKeep affects Windows XP, Vista, and 7 machines, but not Windows 8 or 10 boxes. The older versions make up around 35% of Windows installations, according to Statcounter. The flaw also affects Windows Server 2003 and 2008.

Security researcher Rob Graham ran a two-part scanning project to find out how many machines were vulnerable to this worrying flaw. He began by scanning the entire internet using the mass-scanning tool to find all devices responding on port 3389, the port most commonly used with RDP.

Then, he honed the results by forking a BlueKeep scanner project that ended up in the Metasploit pen testing tool last week. His fork created rdpscan, a tool designed to quickly iterate over a large set of addresses looking for Windows boxes vulnerable to BlueKeep exploits.


What a teen grade hacker’s confession can teach us

By Lisa Vaas

It’s hard to know whether to laugh or cry at a new column that Motherboard’s Vice started earlier this month.

It’s called Scam Academy. Pull up a chair, students: Scam Academy is where you come to read about “schemes and cheats from within the high schools and colleges of America.” The authors are not Vice journalists. No, the authors are the ones who’ve cheated and accepted Vice’s invitation to share how they did it and why.

Presuming that these stories are true confessionals and not just made up for the lulz, the most recent column could have been titled “I made money hacking my teacher’s computer to change grades. It wasn’t particularly legal, but it was fun.”

Actually, forget about laughing or crying. Instead, if you’re anybody who works in education, be it teaching or in school IT administration, you need to grab a notepad and jot down what this anonymous kid had to say, because he or she described security holes big enough to drive a school bus through.


New research generates deepfake video from a single picture

By Danny Bradbury

You’ve all seen the deepfake video of a digital Barack Obama sock puppet controlled by Jordan Peele, but we bet you haven’t seen an animated video of the Mona Lisa talking before. Well, thanks to the magic of AI, now you can.

Deepfake AI produces realistic videos of people doing and saying fictitious things. It’s been used to create everything from fake celebrity porn through to creepy video amalgams of Donald Trump and Nick Cage.

According to the team at Samsung Research’s Moscow-based AI lab, the problem with existing deepfakes is that the convolutional neural networks that they train on munch through a huge amount of material. When it comes to deepfakes, that means either lots of photos of the target, or several minutes of video footage.

That’s fine if you’re mimicking a public figure, but it’s problematic if you don’t have that much footage. The Samsung AI researchers came up with an alternative technique that let them train a deepfake using as little as a single still image, in a technique they call one-shot learning. The quality improves if they use more images (few-shot learning), they say, adding that even eight frames can create a marked improvement.

The technique works by conducting the heavy training on a large set of videos depicting different people. This technique, which the researchers call ‘meta-learning’ in their paper, helps identify key facial ‘landmarks’ which it can then use as anchors when creating deepfake videos of new targets.


Three tech-support scammers charged with ripping off the elderly

By Lisa Vaas

Three alleged tech-support scammers have been charged with bilking the elderly out of at least $1.3 million for tech support services they didn’t need and never got.

The US Attorney’s Office for the Southern District of New York announced on Friday that the three had been arrested the day before.

According to a complaint filed by FBI Special Agent Carie Jeleniewski, the trio would allegedly cold-call their victims, running through the standard tech support scammer’s ruse of claiming to be from one of the big computer companies and warning the victims that their computer was infected with a virus. This went on for years, starting at least in 2013 and continuing on up until this month.

In fact, while investigators were interviewing one of the defendants, Gurjet Singh, at his home in Queens, New York, a carrier truck pulled up to deliver a check made payable to NY IT Solutions Inc. – one of the companies the alleged fraudsters set up to deposit money mailed in by their victims. According to the criminal complaint, Singh had been in the midst of explaining to officers that he collected checks and then wired the money to Gunjit Malhotra, from India. Singh’s cut of the allegedly swindled funds: 8%.

The defendants are Malhotra, 30, of Ghaziabad, India; Singh, 22, of Queens, New York, and Jas Pal, 54, also of Queens. They’ve each been charged with one count of conspiracy to commit mail fraud, which carries a maximum sentence of 20 years in prison. They’ve each also been charged with one count of conspiracy to access a protected computer in furtherance of fraud, which carries a maximum sentence of five years in prison. Maximum sentences are rarely handed out.

Singh was also charged with aggravated identity theft, which carries a mandatory minimum prison sentence of two years in prison.


Researchers uncover smart padlock’s dumb security

By John E Dunn

Remember the Balboa Internet of Things (IoT) hot tub whose security was so dire it allowed researchers to remotely tweak important settings via the internet?

A few months on and the researchers behind that exposé, Pen Test Partners, have turned their attention to another incarnation of the same IoT theme in the form of the ‘smart’ Bluetooth padlock made by a Chinese company Nokelock (not to be confused with the unrelated company Noke).

While Nokelock might not jump out as a household name, its smart padlocks feature prominently on for around $40 (£30) – including one rated ‘Amazon’s Choice’ – as well as under a range of other brand names.

Obviously, the point of a traditional padlock is to stop anyone who doesn’t have a key from unlocking it. In the case of the Nokelock, the function of the key is performed by a fingerprint reader built into the shackle that is configured using a smartphone app.

This convenience means that lots of users can be enrolled to use it without having to hand out keys that cost a lot to copy and might get lost.

Unfortunately, says Pen Test Partners, the Nokelock and its API also come with some major security flaws that prospective owners might like to know about before they stump up their cash.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation