Have Comcast? Have a data cap? (yes). Are they billing accurately? Do they care?

Are they billing accurately?  Maybe?  Do they care?  Definitely not!

http://arstechnica.com/business/2015/12/comcast-admits-data-cap-meter-blunder-charges-wrong-customer-for-overage/

"I called Comcast... and was patronizingly informed that 'it must be somebody stealing your Wi-Fi,'

When he got Ars Technica involved:

Oleg provided us his full name and address so we could check into his situation with Comcast. The company investigated the problem after being contacted by Ars and confirmed that its meter readings were inaccurate. “We have reached out and resolved this,” a Comcast spokesperson told Ars. “There was a technical error associated with his account, which we have since corrected.”

 ...

“It turns out their system had my modem MAC address entered incorrectly, there was an off-by-one typo that was hard to see so they were counting data from some modem who knows where,” Oleg told Ars.

Comcast.  Die.  Die. Die.

#Comcast #ComcastDieDieDie

The Down side of cloud updates, and how to infuriate your customers

Well, this is a new one, how about a Fortune 100 company, Philips, making a IoT product, Hue, with a tenuous grasp on a small market share makes an open product that seems that in spite of a few warts is pretty good, and getting better, decides to change their strategy?

What if it's to delete the "open" part and only talk to own products, Breaking its functionality for users of existing third party products?

From Techdirt: Lightbulb DRM: Philips Locks Purchasers Out Of Third-Party Bulbs With Firmware Update

Well, the customers were furious, with light bulbs that they can't turn on, and hopefully, they'll (safely) light their Hue hub on FIRE, send it back to Philips, buy a third party hub and never buy another Philips product again.

I certainly won't.

Note to "bright bulbs" at Philips.  (get it? snort).  You know the razor blade and handle story.  Well this is what you did.  You sold a handle and a bunch of blades, and someone else made blades that fit the handle, and you changed the handle so the other peoples blades didn't work, even the ones already bought, and the customer still uses.  For some reason, the customer can't have multiple handles, but they can buy a handle from the "other guys", throw yours away, and never buy another blade from you again.

Update:  Philips backs down, also from Techdirt, that was quick - https://www.techdirt.com/articles/20151216/07562133099/after-spending-day-as-internets-punching-bag-philips-walks-back-firmware-update-that-locked-out-third-party-products.shtml

Oh would Experian PLEASE JUST DIE DIE DIE

You're a credit reporting service for heavens sake!

Experian suffers biggest one-day fall after T-Mobile US hack

you had one job  :-(


Oh they will do your credit monitoring too -

https://nakedsecurity.sophos.com/2015/10/02/t-mobile-customers-hit-by-experian-breach-get-credit-monitoring-by-experian/

Update!  T-Mobile gets a clue (thanks to customers freaking out - so make clue-by-four) 

The Register reports that

T-Mobile US hires someone other than bungling Experian to offer ID theft monitoring to hack victims

Hopefully this doesn't mean that TransUnion gives up our data

WINRAR vulnerability puts customers at risk

They say Data isn't an asset - it's a liability, same with connectivity?

According to ZDNet's  Charlie Osborn - "A severe security flaw apparently discovered in the WinRAR suite could allow hackers to compromise user systems."

Hmm.  Without reading the article, I thought "If it's WinRAR, and it has no connectivity, a vulnerability won't be too bad, even if got PWNED by bad compression parsing"

Wonder what really happened?

P

Ad Blocking in a nutshell

I block ads and you should too, and I will until the following changes:

1. Third party Ad networks contain malware
1. That, combined with bugs in browsers, means your system is wide open to fake ads that can take over your system
2. There's nothing the web site I'm visiting can do about it if the ads are served by a network
3. There's no excuse to get cryptolocker from the Huffington Post
2. Ad content takes up too much bandwidth
1. All my connections have data limits.  I do everything I can to control that data, and ad blockers it only one thing in my list 
3. The size of the ad content takes too long to load
1. Ad blockers noticeably speed up the web browsing experience 
2. It's not right that I think my connection is down because I'm waiting for a flash video
4. The latency of ads slows down the whole site
1. As above, but this happens for different reasons 

See all this?  They are Objective reasons that the advertising model is harmful to consumers.  I said nothing about the aesthetics, where the images don't match the content, or whether the colors in the ad clash with the site, or whether I'm interested in Ashley Madison, or clothes for "big and tall" men,  or colostomy bags, for that matter.

I don't care about the ads themselves, you gotta pay for the web, it's the networks that are ruining the experience, and people will block until the networks get their act together.

Yeah, about Windows 10 Privacy, 7 is likely my last windows OS :-(

I haven't talked about it yet, but Microsoft considers Windows 10 a "service", meaning theirs, not yours, and they can monitor anything they want.

As a result, people are panicking and accusing them of all kinds of things like reading your emails which they apparently don't do, according to their blog or TechNet - either in consumer or  enterprise versions.

According to techdirt though, and Ars Technica they don't address other things, like Cortana (Microsoft Siri), remain on and collecting data, and aren't disabled when a user or admin disables telemetry.

As a result, I, and other people a lot more Microsoft-centric than me are moving toward Linux.

:-(

Thanks techdirt!

ATM Advice to keep your card safe - check Bluetooth for "Free2Move" before using the machine

First (Honest!) Make sure your card is linked to a small bank account, not your investment account - now!

And debit cards are more dangerous than credit cards if they get cloned

Now, pull out your phone if you're using an ATM away from home, especially if it's in a tourist area and not physically attached to a bank - check if there's a bluetooth signal called "Free2Move" - if so DON'T USE THE ATM, it's likely been compromised.

If you want to find out more, read Krebs article here:

Tracking a Bluetooth Skimmer Gang in Mexico

or here

Tracking Bluetooth Skimmers in Mexico, Part II

There are $5 Wifi buttons that can automatically order from Amazon. Who knew? Well they're hackable for your own evil purposes

From The Verge: http://www.theverge.com/2015/8/18/9174595/amazon-dash-buttons-hack

It was only a matter of time before someone discovered how to hack Amazon’s dash buttons, the tiny, Wi-Fi enabled devices you can use to buy more detergent or toilet paper at the literal push of a button. As cofounder and CTO of software firm Cloudstitch Ted Benson discovered, with some basic programming skills, you can hack them to do almost anything.

Yeah... Tile... It helps you find things... or others find you...

I want one, but it's scary. The new one even has batteries.

From the Verge article above:

Tile was an early Kickstarter success story and now it's hitting the big leagues. Starting today, there's a new version that will be available both online and in retail stores. The Tile is designed to help you find your keys — or purse, or basically whatever else you can attach it to. That remains unchanged — pair it to your iPhone or Android device and you can tap a button on your phone to make the little square dongle beep. Tile says that said beep is three times louder now and will work within 100 feet — both claims ring (ahem) true in my testing. Tile also has another clever feature — if you lose something, you can tell the Tile hive mind and every Tile user's phone will start looking for it. If it's detected, you'll get an alert on your phone — but the user who came near it won't know, protecting your privacy and your stuff.
Every phone can become a Tile now

Tile has also updated its app, now it lets the Tile system ring your phone if it's lost, effectively creating a backup find-my-phone system

And if there's any doubt about how it works, and how much it lives in the background...

On Android, one sort of annoying thing about the system is that you can't quit the app if you want it to work. That does mean you can kill it and save battery, but it seems like the sort of thing that ought to live in the notification tray.

 Welcome to the unwelcome part of the future...

Ex-Employees Accuse Kaspersky of creating false positives in their database so competitors flag harmless files

In what can easily be described as "Byzantine", Engadget reports on Reuters story that:  

Reuters reports that a pair of former employees have accused Moscow-based Kaspersky Labs of building malware to trick its competition into flagging and quarantining important, non-viral, files on customers' computers. Basically the malware would inject malicious bits of code into important PC files -- like, say, your printer's .ini files -- which would then be flagged as a false positive and quarantined or deleted.

 Awesome!  People that say anti-virus companies write viruses are being way too one-dimensional

Ohhh, maybe there WAS classified email on that server after all...

According to WashTimes, there WAS classified material on Hillary's server
http://www.washingtontimes.com/news/2015/jul/1/state-dept-admits-dozens-hillary-clintons-emails-c/?page=all

Isn't it the case that the president is the ultimate classification authority?  So that settles it - it wasn't classified, the president did nothing wrong

"I'm not going to have some reporters pawing through our papers. We are the president."

Quoted in Blood Sport: The President and His Adversaries (p. 368), James B. Stewart, December 1993

Intelsecurity analysis of UEFI rootkit from HackingTeam, and a revelation

This is courtesy of Xeno's twitterfeed

http://www.intelsecurity.com/advanced-threat-research/blog.html


From the paper:

Updating the SPI flash, where system firmware is usually stored, is usually accomplished either through physically attaching a programmer to the chip or through a signed update mechanism built into the firmware. One of the leaked emails contains a presentation (presumably for potential customers) that describes this:

 Explanations:

1. "Attaching a programmer to the chip" - well known - supply chain attack or "black bag job"
2. "Signed update mechanism" - presumed, but important since I think this is much more common on enterprise systems over personal or consumer

This  is key - it means it needs a bag job, or an enterprise system.

If you support enterprise systems, you can consider yourself a target.

I'm sorry their email was compromised, but they're doing bad things, and they're not an entertainment company here, trash talking movie stars.  They're targeting me and my clients/sponsors - the contents of the emails and files are fair game for us to protect ourselves.

 How do I protect myself or my clients?

From the paper:

Intel has released CHIPSEC, which contains various tests and tools for platform security assessment, including some forensic capabilities.

They go on to give examples of how to use and what the results mean, and most importantly:
 

Installing [the Hacking Team] firmware rootkit involves rewriting SPI flash. The system firmware is responsible for securely configuring the protections on SPI flash in order to prevent this. CHIPSEC contains configuration checks that users can easily run:

• python chipsec_main.py -m common.bios_wp

This does not mean that the system is infected, but it would be harder to infect a system that passes this test than one that fails.If this test fails, it may be possible for software running on the system to modify the BIOS in the SPI flash due to insecure configuration of the hardware protections. 

This means to me that you'll need python to run it (go figure, we're on windows, guys) , but I'll spin it up on a couple of machines to see what happens

P

Oh. My. God. Flickr made a change on May 7 to upload ALL your photos to themselves, and I missed it

Yes, I only noticed now that Flickr uploads everything from your iphone into their cloud

http://mac.softpedia.com/blog/Yahoo-Releases-Flickr-4-0-for-iOS-with-Instagram-Sharing-Support-New-Look-480407.shtml

I just went to their app and saw all my pictures.

HOW COULD I HAVE MISSED THAT?!

Why Yes, legislators in other countries (especially the EU) are idiots too

Updated:  German publishers lost similar cases in 2014 and again in 2015 and are trying again. Basically VG media wants the German government to both require payments from Google for all traffic they send, and to send the traffic too.  Good luck with that!

Like Spain, where in Dec 2014 they passed a law requiring all search engines to pay newspapers for snippets and links, whether the newspapers wanted them to or not.    Google on December 11 2014 responded with:

"it’s with real sadness that on 16 December (before the new law comes into effect in January) we’ll remove Spanish publishers from Google News, and close Google News in Spain."

Techdirt called it the "Nuclear Option", although the rest of us can call it "Duh".  What were they thinking?

Update after reading (more of)  the Forbes article: Well.  My mistake. 6 months later, Google News ES is still closed.  Huh.  I guess they don't have a problem with that.

Forbes writes on Dec 15th: "That Was Fast; Spain Already In Full Retreat Over Google Tax"

Hopefully the message wasn't lost on Germany, pushing for the same thing again in July 2015

Oh well, here goes Spain again, going full police state on everyone,  banning demonstrations and taking pictures of police.

That's almost as stupid as banning outdoor photography. More at I'm a Photographer not a Terrorist

Perry

PS. Oh and patch your systems too

It's time to set "click-to-play"

According to the lovely @SwiftonSecurity  there's at least one flash zero day out now, and you can get cryptolocker from malvertising

Instructions to set click-to-play are here:

http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

In a nutshell:

1. Chrome - Settings-Advanced-Privacy-Content-Plugins-"Let me choose"
2. Firefox - Tools -> Addons -> Plugins drop-down -> Ask to Activate
3.  Internet Explorer -> gear icon -> Manage Add-ons -> Toolbars and Extensions -> Shockwave Flash Object plug-in under Adobe Systems Incorporated, right-click it, and select More information ->Remove all sites button

Yeah. OPM.

Let's start in 2014 where Our Fearless Leader appoints Michael Daniel to be the US Cybersecurity Coordinator (Cyber Czar) who's proud to have no technical knowledge  (Forbes)

Mix in an inspector general's report that described the agency’s computer security system as a Chinese hacker’s dream.  (NYTimes)

"The problems were so severe for two systems that hosted the databases used by the Federal Investigative Service, which is responsible for the background investigations for officials and contractors who are issued security clearances, that the inspector general argued for temporarily shutting them down because the security flaws “could potentially have national security implications.”"

What do you get?  Unlimited access to the Office of personnel records databases by unknown hackers, including highly sensitive clearance information.  

 “OPM is being very resistant to agree to attend,” Rep. Jason Chaffetz (R-Utah) said. “I’m prepared to issue a subpoena if need be to get them there.”

(NPR, and boy did I love waking up to that on my clock radio last Friday morning)

Extra credit to OPM people refusing to testify before congress re the breach

Stay classy, US government

PS - Check out Krebs on it

OK, it's time to stop trusting SourceForge

Well, it's official.

SourceForge is putting paid third party code into projects, similar to the junk that Oracle puts into Java, or Adobe into Flash.    No surprise, since they're now owned by a job hunting site Dice, or DHI group inc (note the category warning announcement)

They're backtracking on the insertion of some really bad stuff into GIMP (Ars Technica), saying that they thought GIMP was dead, and that listening to their user [outcry] they'll now only do it on certain projects.

They are saying it's opt-in only,but both things are only a bad quarter and a policy change away.

Unfortunately I'm putting them in the AVOID category, like Tucows and CNET :-(

Update: They Definitely time to untrust them - they hijacked NMap!

Perry

Change to Uber in July wants to track users all the time and spam their contacts?

More here:

http://www.itworld.com/article/2928515/security/uber-revises-privacy-policy-wants-more-data-from-users.html

Maybe it's a false alarm and I'll have to add it back

Voting Machines use Unpatched WIndows XP, WEP, simple passwords, instantly decertified

Ars finds:

Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts.
The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of "admin," "abcde," and "shoup" to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November's elections.

http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/

How many times do I have to say it - Electronic voting is a BAD IDEA

US Secretary of State exclusively uses private Email, pleads ignorance

Coming to the attention of the public when one of her closest advisors gets hacked by a Romanian hacker "Guccifer",  Hillary Clinton did not use public email during her whole term as secretary of state

http://www.thesmokinggun.com/documents/investigation/hillary-clinton-private-e-mail-account-897531

While the contents of only some of the emails have been made public, the list of subjects that is published shows some that clearly might contain classified information.

I guess Hillary doesn't really get the "protect information from enemies of the state" thing.  Hillary, when using private internet services, there's really no way to know who's reading the information.

I'm really surprised this didn't come out earlier.  Is there something (special) about the providers that she and her circle of friends are using?

Funny how they forced an ambassador who did the same thing to resign
http://thefederalist.com/2015/03/05/hillarys-state-dept-forced-the-resignation-of-an-ambassador-for-using-private-e-mail/


In other news, thanks to Popehat, Gen David Petraeus won't be getting jail time for leaking more-secret-than TS information to his biographer/mistress/girlfriend

Uber is worth a gazillion dollars, and is putting the Taxi industry out of business - how can they be such idiots? Again!

By Dan Goodin

Ars Techica

March 2, 2015

Uber is trying to force GitHub to disclose the IP address of every person that accessed a webpage connected to a database intrusion that exposed sensitive personal data for 50,000 drivers. The court action revealed that a security key unlocking the database was stored on a publicly accessible place, the online equivalent of stashing a house key under a doormat.[ but more visible - pe]

Uber officials have yet to say precisely what information was contained in the two now-unavailable GitHub gists. But in a lawsuit filed Friday against the unknown John Doe intruders, Uber lawyers said the URLs contained a security key that allowed unauthorized access to the names and driver's license numbers of about 50,000 Uber drivers. The ride-sharing service disclosed the breach on Friday, more than two months after it was discovered.

more...

 http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/

Intuit is accused of deliberately allowing fraudulent returns for increased market share

Brian Krebs writes that Intuit is accused, apparently with proof  like audio, video, or email, that Intuit made the conscious decision to reduce fraud detection when criminals went to their competitors and caused them to lose market share.

http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/

Question:  If a criminal files a fraudulent return from a web site , and pays with a percentage of the refund, then the refund can't be recovered, will the web site operator have to return the fee?  What's the penalty?  What if they're found to be doing it deliberately?  Losing their ability to file?

People:  Friends don't let friends overpay their taxes.

Think Superfish isn't a big deal?

Well, first off, remember that it compromises the whole IE/Firefox infrastructure
(and possibly code signing =8-0 ) of the whole machine  [perry]

Second, there are lots of Non-Lenovo (14) (+?) apps that use it and it's getting easier to break

Now it's breakable and exploitable over by a Raspberry PI (with instructions)

Oh there is a true virus that exploits it and Komodia, the company behind the MITM-by-local-internal-proxy is under DDOS attack.  Did we mention that the password is Komodia?  And that many commercial companies use products from Komodia?

And, while Lenovo has apologized, (they still have a business), and has updated auto and manual removal instructions

Of course Superfish says it's not so bad
 
Understandable, but no.

And a movie that shows how to remove Superfish.A from Chrome - from Jul 2014

Graham Cluley gives instructions for Flash Click-to-play

Nice!

http://grahamcluley.com/2015/02/adobe-flash-zero-day-vulnerability-exploited-hackers-infect-ie-firefox-users/

Oracle Java installs Malware Toolbar without "Ask"ing

Updates after Java 7 Update 71 don't appear to allow opting-out of Ask toolbar. 

It does let you choose whether to use Ask as the default search engine, and another thing, but the Ask toolbar looks like it's automatic

I'll just delete java then

 Do they really need the money?  Will Java stop being free?

It's really time to get completely off the Java platform.

Chris Christie shows abuse of ez-pass and metadata in a single speech

And what type of human being he is, effectively making it impossible for him to be president.

(I honestly don't know if I'd pick him or Obama, but Obama can't run again)

Techdirt, as usual has a great article

So here's the lead up, from Bill Baroni -

"Respectfully, Senator, you only started paying tolls recently," [Port Authority Deputy Chief Bill] Baroni said, according to a transcript of the exchange. "In fact, I have a copy of your free E-ZPass," he continued, holding up a physical copy of the toll pass Lautenberg had received as a benefit from his tenure as a Port Authority commissioner. "You took 284 trips for free in the last 2 years you had a pass."

Chris Christie abusing E-ZPass and quotes him, saying about a rival:

At a press conference, he alleged that the senator didn't "pay for parking at Port Authority facilities" and said Lautenberg went "through the tunnel to New York three or four times a week in 2005 and 2006."

I find it interesting, too, by the way, in 2005 and 2006, that he went over the Hudson River 284 times. Where was he going?... I think he needs to answer that. 'Cause he's supposed to be the senator from New Jersey. So what's he doing going over the bridge or through the tunnel to New York three or four times a week for 2005 and 2006?... Did he ever spend any time in New Jersey?

Did you think:

1.  E-ZPass data was confidential?  Nope
2. That the government reading E-ZPass  data needed a warrant?  Nope
3. That Metadata was harmless?  Nope
4. That Government thinks Metadata can't be abused? Nope
5. That Chris Christie is above anything slimy or scummy? Data is still out

Oh they do have a link to the pdf of NJ committee meeting that includes testimony about bridgegate and some details about traffic readers in the Fort Lee area, and I think how many E-ZPass details they get. 

A Responsible Disclosure Success Story

My wine app (Vivino I do like it, but wish it read bar codes) was successfully compromised by a white hat hacker.  What did he do?   Told them nicely.  What did they do?  Worked with him to fix it, patched it, and comped him for a year.

How cool is that!?

http://www.hotforsecurity.com/blog/vivino-wine-lovers-app-leaked-personal-information-11222.html

DC Library has series on Internet Freedom in America

Titled "Orwellian America, Government Transparency and Personal Privacy in the Digital Age", where they're sponsoring readings of books like "1984", showing of "The Internet's Own Boy", discuss government transparency, teach how to use Tor, and other things to help citizens of oppressive dictatorships be safe on the Internet.  The theme is understanding widespread surveillance and the growing governmental culture of Big Brother in American government.

USA Today Columnist Defends Paris Attacks

In the "Opposing view" just after the Paris terror attacks, radical cleric, living in London, Anjem Choudary matter-of-factly asserts that dishonoring Islam is expected to provoke fatal consequences, and the cartoonists, and publishers are, in effect, the villains, since:

Muslims consider the honor of the Prophet Muhammad to be dearer to them than that of their parents or even themselves. To defend it is considered to be an obligation upon them. The strict punishment if found guilty of this crime under sharia (Islamic law) is capital punishment implementable by an Islamic State. This is because the Messenger Muhammad said, "Whoever insults a Prophet kill him."

http://www.usatoday.com/story/opinion/2015/01/07/islam-allah-muslims-shariah-anjem-choudary-editorials-debates/21417461/


In his crazy? Middle-ages? view -  The insults were "incitement and hatred", and should have been expected, and I think, banned.

Which speech was more inciteful?  Charlie, or the USA Today column?

Taylor Swift's Decent Security helps lock down Adobe reader

Actually a good how-to

http://www.decentsecurity.com/visual-guides/#/automatically-update-adobe-reader/

Keep on the lookout for her upcoming book