Wyze... Ain't

Security camera startup Wyze leaked data on millions of customers.
Email addresses, wi-fi network IDs, and body metrics exposed.
Are you still seriously using this crap?


CNET's Data breach hall of shame for 2019
Great progress has been made - it's only up 33% overall.


US Coast Guard says Ryuk ramsomware took out a maritime facility. It was most likely phishing. 30 hours downtime.  We won't learn.


The year in security debacles




LINUX


Just in case it skipped your mind, ClamAV works well on Debian/Ubuntu, CLI or GUI.


Do as much research as possible before buying hardware to make sure it's linux-compatible.


Simulate linux commands without blowing anything up. Find out what it's going to do before you do it.

The Maze of Pensacola

The group behind the Maze ransomware that they stole from the city of Pensacola put out 2G of files to prove they were serious. In other words, the city has thus far refused to pay the ransom. And they don't have backups.


Multiple Chrome vulns exist in SQLite let hackers execute arbitrary code remotely.  Don't use Chrome.  Ok, don't use Chrome prior to 79.0.3945.79 (divided by pi, minus 13).


How orgs can defend against advanced persistent threats

1. disconnect everything from the internet
2. buy any antivirus company's advanced persistent threat module
3. don't worry about it - they're rare
4. the VP needs a new boat - maybe next year

Be careful of Christmas, Hanukkah, Kwaanza and New Years themed malware. The initial version comes via snail mail, with a phrase like Merry Christmas on it. DO NOT OPEN IT. Later versions come in the form of email, with similar phrases on the subject line. Don't open these either. The most virulent, nasty malware is marked by subject lines with emojis on them. Never open these. Jonathan McAfree, from McAfree Antivirus Division (MAD) explains that if you delete them immediately, the authors will get tired and not send anymore of them.

Zombie Cicso Vuln

It's back. An already-fixed Cisco vuln.
With 'how to check' demo.


Dropbox Zero Day gets short temp fix


Reverse engineering with Ghidra


NSA's backdoor key from Lotus Notes

Vivaldi Plays Beethoven

If your browser is having trouble getting in the front door, just tell the door you're not that browser. Vivaldi changed its user agent string so it can get through blocks.


Oops - Honda exposed 26k North American customers' data.
Are you ready? It was a misconfigured Elasticsearch cluster. Misconfigured as in Wide Open. This wasn't a big deal for Honda, because the exact problem occurred in July.

Honda: Yes, we seem to have a bit of a spill in the.. uh.. American market.
Customers: All of our personal info was open to the planet?
Honda: Yes, terribly sorry.
Customers: But you had the same thing happen earlier this year. Didn't you learn anything?
Honda: Yes, yes we did. We learned from our mistake, enough to repeat it again exactly.
[apologies to Peter Cook and Dudley Moore]


If you need a quick, industry-related laugh, and who doesn't, read this little ditty on Faceyspaces, lawmakers, location tracking, and 'certain security functions.' The sheer creativity, legalese, and attempts to appear innocently-stupid are breathtaking.



"Stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the Internet-of-Things."
Bruce Schneier speaks like he's in my head.



Wawa, the convenience store chain around the Philly area (not the guitar pedal), said all 850 stores were affected by PoS malware skimmers. It took from March to December to discover it. Notice was given on their webpage, because everybody goes to Wawa's web page.



Linux environment variable tips and tricks

Yes, We Stole it, Yes, We'll Sell it Back to You

Hackers stole data for 15 million people, sold it back to the lab that lost it.
Who says there's nothing new under the sun?


Gee, Mrs Lubner, we're awful sorry our Chrome update made your android data disappear. It's ok, though - the next upgrade will make it visible.


Over 1,000 US schools hit by ransomware in 2019.
Never thought I'd be saying it's worse than I thought....


With all the schools, businesses, and state governments not backing up and falling victim to ransomware, it's a great time to be in ITSec.


7 ways to remember linux commands


Faceyspaces' TOR site down for 2 weeks due to expired TLS cert.

Malware for the Moon?

The Air Force is seeking proposals for technologies "for operations far beyond geosynchronous Earth orbit, near the moon's orbit: payloads for providing space domain awareness from the lunar surface, lightweight sensors for space-based space domain awareness, and methodologies for orbit determination and catalog maintenance in cislunar space.

They don't usually leak this kind of information.
So if you have these skills, give them a call.
For those of us who can't understand more than 2 words of the above (me): ask someone to tell you what Space Force is up to.


A New Jersey hospital 'had to' pay a fee after they got hit with ransomware.
Because, you know, backups are soooo hard.



Chinese e-commerce site lightinthebox.com operated in the sharing spirit: it shared 1.3TB of data, including server logs, user data, and more.


Snatch and Zeppelin ransomware recap.



Plundervolt: stealing secrets by 'undervolting'


The city of New Orleans, Louisiana, got themselves some ransomware. The mayor declared a state of emergency. It appears to be the threat actors behind Ryuk. The city is still working to recover data from the attack.

Hmmm.....  the city's emergency preparedness campaign is managed by the Office of Homeland Security and Emergency Preparedness. From the way the article is worded, the city and Homeland Security don't think much of backups.


A WhatsApp bug could have let anyone crash WhatsApp of all group members.
I have one word for you: Signal.


The writers of Nginx were interrogated at gunpoint, in their homes, at 7am because a former employer claims it was developed while one of them worked there.


VISA warns that hackers are scraping card details from gas pumps.




LINUX


How to use the uniq command - a unique command.

Ring - Who's There?

A forum and associated livestream is behind a bunch of Ring camera hacks. These are the indoor cameras, not the doorbells. The cameras started 'talking' to people, making nasty comments, and demanding Bitcoin.

I'm having trouble typing (moreso) because of the laughter.


564 Siemens bugs that could allow hackers to pwn power plants.
Let's not speak only of these bugs... let's also speak of incredibly stupid to non-existent security designs.


If you think it's a good idea to replace your Ubuntu-provided VirtualBox installation with Oracle's, here's how. After the article, you might not want to.
In Ubuntu, you get whatever version is current when Ubuntu is released and you won't get an update til the next version. With Oracle, you'll get the regular updates, with the new features.



Google is now banning some linux browsers from their services.
Because they're 'not secure'.
What this means is that javascript is turned off, like the message I get when I try to access a Google site using Firefox, because I turn javascript off by default. Yay Google - help us some more!



7 ways to remember linux commands

Number 8: use all of them every day


Cigna uses AI to check if patients are taking their medications.
Gee, who has access to this data?
Another great push on the handcart to hell.

5G - not for thee

You'll like this: the next generation Snapdragon chip, which will be in everyone's flagship phone next year, requires a 2nd chip for 4+5G. Although the processor is 25% faster, the 2nd chip will suck power, resulting in less battery time. But 5G! Meanwhile, everyone needing 4G got less battery life. Considering the alleged availability of 5G, you should probably avoid new phones in 2020.


Microsoft Teams is now available for linux.
The end of the world is nigh.


Don't forget to patch Windows. The current one is important.

Uh-oh - Win 7

Half the NHS runs on Windows 7
Because it was a huge surprise that support ends January 14, 2020.


Speaking of the UK, government laptop losses soar 400%
What are they doing with them - leaving them on top of their cars?


Snatch ransomware reboots Windows in Safe Mode to bypass antivirus
Tricky. 
Now let's debate MS products having a Safe Mode.


Trickbot credential stealing malware abuses Google Suite to hide malicious activity.  Google Suite is malicious activity.



Over 750,000 applications for US birth certificate copies exposed online
Once again, unsecured buckets. What is the matter with us?





Linux

How to set up Rsyslog server on Ubuntu 18.04 LTS


WireGuard VPN is on its way into linux. It's approved for the new kernel, to arrive early 2020.

Diversity

This is one of those deceptively-titled posts:
Debian developers take to voting over init system diversity.

There are not enough female commands?
The command line is a tool of the patriarchy?
Women don't look good with pocket protectors?



Researchers have discovered a security flaw in macOS, Linux, and several other operating systems that could let attackers hijack a wide range of virtual private network (VPN) connections.  The only positive point is that it's hard to exploit. Wait for a patch.



How to install Kali undercover mode on any XFCE distro
Hysterical.

Apple Sleight of Hand

Security Dude Brian Krebs discovered the iPhone 11 sent location data even when the service was disabled. Apple said they didn't see any problems. Now Apple says the chip necessitates constant location checks.

Bulldookey.


A bug in the way unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked.

Affects "most" Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD.


New Mac malware hides behind a fake crypto trading platform called Union Crypto Trader.  Probably North Korean Lazarus group.


VPN is going away - check out Zero Trust


Really good piece on why the user isn't a consideration in software.
Nor is privacy. Surprise - it's Google! Not surprise: don't use Chrome or any browser based on Chrome.



Have a fun weekend. We'll be back Monday, with another slate of specially curated (the ones I came across) stories. Remember: tell your friends about ThermionicMalware. Better yet, tell people you don't like. Reproduction of this blog is prohibited without express written consent of the Backyard Underwriter Liability Lobby of Swingset Hueristics, Investigative Trade (BULLSHIT).

Microsoft - We're Listening

Microsoft is still planning a cheaper, disc-less next-gen Xbox.
They wanted to assure everyone that it will still include its always-on microphone.


Thousands of cell phone bills exposed by Sprint contractor.
Once again, open buckets. We. Will. Not. Learn.


Severe auth bypass and priv-esc vulns disclosed in OpenBSD


Mozilla is making great progress on their speech to text offering.
We need this so badly....

Two Malicious Python Packages Steal SSH and GPG Keys Exists in the Python Package Index for a Year

Instagram to collect ages in leap for youth safety, alcohol ads

They deny there's anything remotely invasive or creepy about this, and that no one would lie to them anyway.

Must-have portable apps

Very effective when the system won't let you install software.

Major US data center provider hit by ransomware  

CyrusOne, a major data center.

Search engine that cryptographically protects your privacy?

Why do privacy-concerned search engines require a cookie to save your preferences? Well, we know why, but irony. Sometimes they give you a custom url that preserves your settings.

Hacker Zero

HackerOne breach lets outside hacker read customers' private bug reports.
With a cookie. Cookies are the panacea of life.


In the continuing march to more expensive doom and possibly crippling radiation, here's some more great 5g news.  News: it's not going to make pancakes, watch your kids, or even let you use it.

In addition, the EU council is in a bit of a tizzy about 5g.


Firefox 71 released with native MP3 decoding, because patents expired. Other interesting features...including kiosk mode and password manager. Unfortunately the password manager requires a Firefox account. Just a little bit silly.


Are you ready for Nessus Map? It parses .Nessus files and shows output in interactive UI.


A coupla linux network troubleshooting commands (basic)


I've mentioned the Ring doorbell cameras.
So has Amazon: to the police. They gave the police a 'heatmap' of all devices in an area. While the feature was removed, you can be sure that Amazon would never do it again, nor would police expect them to.


The FBI applied for and received a search warrant to Sony on a PlayStation 4's owner. Apparently national security required the FBI to know what games the alleged cocaine seller had and how far he got in them.


Windows - it's not an OS, it's a virus.
A bug in the login system put users at risk of account hijacks.


Apple's i11 sends location data to Apple, even with location off. Apple sees no problem with this.

Quiet - Amazon is Listening

Amazon has introduced a way to let doctors record your conversations and attach them to your records.  What could possibly go wrong?

I knew EHR was going to bite us in the buttocks, especially after having been in the industry. Now we figured out a way to make records more invasive. And Amazon is to blame. Wait til Google hears of this.



T-Mobil's "nationwide 5G" fails to cover 130 million Americans
Let's be fair: the 5G rollout is all press and very little rolling


Wanna know how Iran's internet blackout went down?


Of course your android phone is fully patched. Unfortunately, there's another vuln being exploited for banking info.  You could always not bank with your phone.



This dude swapped his pc with a Raspberry Pi 4 for a week.


Alternatives to the TOP command

Billions and Millions Exposed....

A rather large database storing a rather large amount of business to potential customers sms (spam?) was wide open, courtesy of TrueDialog. Completely unprotected on the web.





Hey (friendly) hackers - Uncle Sam really does love you after all! Give him a ring.

Next Gen Tech - coming in 2020
EaaS
Employees as a Service.
Tired of the current ones?
Are they dumber than a box of rocks?
Want to outsource?
EaaS is your answer. Start using it as a buzzword and expect us in 2020 2q.

The new version of Kali Linux has an 'undercover mode' to impersonate Windows 10.  This is sheer brilliance. Security staff will see a Win 10 machine trying to hack the network, giggle a bit, then ignore it.



The world's first mobile phone detection cameras are in use in Australia, to 'cut fatalities'.  Surveillance State at its finest.  Australia is a test bed for rights confiscation. Expect it to infect the UK next, then possibly the US.


It's easy to get a .gov domain name.
That's not a problem, is it?


4 million fresh stolen cards tied to breaches at Krystal, Moe's, McAllister's Deli, and Schlotzky's.  I'd stop eating there, if I ate there in the first place.



8 best linux desktops and laptops

4 reasons to encrypt your linux partition

Always Pay Cash - Especially at Hotels

In an event no one could foresee, there's more malware at hotels. Oddly, this time the infection vector is email.  Sleep Easily.



We need a new malware category, called IronyWare. This is any kind of malware that attacks security firms, like Prosegur, which does alarms, physical security, and armored cars.



Adobe's Magento Marketplace breached, 250,000 affected.
Previous breach in 2013, affecting 38 million accounts.
At least they learn from their mistakes.



More android malware: this time it's stalkerware - check the story for apps.



Faceyspaces was down during Thanksgiving.
Global productivity up 76%



It was a light Thanksgiving, but Black Friday tech deals abound, even for hackers.


Sometimes I like to preview these entries before they go up, just to see how ugly the blog continues to look. But at least we're full of content, if not full of anything else.

Min 737 MAX

There is some serious agita around Boeing's 737 MAX.
People are nervous, and these are industry people.
The planes have been pulled from service, pending recertification.
This time it's Transport Canada.

I'm glad someone said it.
This is an industry which has a good safety record. In which systems are triple-reinforced. In which all participants have a vested interest in things running well. Everything about this smells.

In March 2019, China pulled 100 737 MAX 8s.
Also in March, the FAA said the plane is still airworthy.

airworthy (n) - a condition where wings provide lift and a plane can take off. You wouldn't want to be on the plane, though.



On the Border got hit and payment card info may have been stolen.
Maybe the corporations getting hit will convince people to go back to cash.
Nah.
If you like frozen strawberry margaritas, this is the place (I drink like a girl). Their hot brownie with vanilla ice cream is outta sight. Just don't use a credit card.



Top 25 most dangerous vulnerabilities

1. the people working around you


If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention.



LINUX

Ubuntu bug reveals your media files to others without warning.
Starts the sharing service at startup.


Turning your Raspberry Pi 4 into an edge gateway (part 1)

Faceyspaces, Twitter. Again.

Two third-party SDKs used by hundreds of thousands of #Android apps have been caught holding unauthorized access to users' personal data associated with their connected social media accounts. SHOCK - Faceyspaces and Twitter affected.

Not that this will affect a single login, but we Security Folk, who go running round in circles, waving our hands over our heads, have to make note of it.  Just wait til those video Faceyspaces interfaces hit homes. They will watch every facet of your life, including your sleep. Orwell was half right: Big Brother, yes - only it's not the government - it's Faceyspaces/Google/Amazon/Twitter.



Hot on the ransomware hit parade is DeathRansom.
Yeah, it didn't really encrypt your files at first, but it's back and does encrypt your files.



VCPI, an IT company, was hit with ransomware, preventing access to crucial patient records.  I think they call this irony.


How to mount your iDevice as an external drive in Ubuntu

We've Won an Award!

The Greatest Invisible Blog on the Internet!
The problem, as I see it, is that the only advertising I did for it was on the original blog, which gets..... less traffic than many blogs on the net. Because I don't advertise.

So you see, the fault is mine, for being advertising-deficient, among other things.



"Being right too soon is socially unacceptable." - Robert A. Heinlein



Pshaw - it was only 1.2 billion people's records (hacked in T-Mobile US).



Just in case you missed this, Amazon wants you to know that it's your fault if a Ring camera violates your privacy. The app the police use can request footage, no warrant required. Well, maybe Amazon has a point... they're getting richer on the stupidity of their customers. An American success story if there ever was one.  Ask anyone in security, or most people who have had their first coffee - this is a slow motion train wreck, like IoT.



Google is talking support for actual linux kernel in androids.
That could be interesting.


Senators ask if Faceyspaces really lets users opt out of location tracking.
Faceyspaces ask senators if they're really going to cut taxes.



Remember that unblockable super cookie that uBlock detected. Other ad-blockers are entering the fray.


Order a OnePlus? Some of your info might be among that taken in the breach. They are confident that payment info and passwords have not been compromised. The article doesn't mention how they're confident.


Kaspersky located 37 security issues in VNC.
So make sure to leave it open to the internet.
Oops, I was too quick - Shodan shows about 600,000 internet-facing machines.


NextCry targets NextCloud linux servers - no detection.

Friday Finale

I'm sad to say this is my last post.
For the week.


There is a patch for Outlook for Android for a recent vulnerability which could result in take over for a system.

Now I want you to be honest with me.... do you or anybody you know run Outlook on your android? It's almost as silly as Outlook for linux. It makes my head hurt. I know an iDevice user who runs it, but we agreed not to talk about it.



Also a BIND advisory, affecting multiple versions. It could be caused to cause a DDOS condition.



T-Mobile was hacked. The hackers got access to the data of prepaid customers.
Hackers insisted it be spelled TMobile.



AMD just released a $49 mainstream processor. Yes, for the normals out there, $49 will get you a nice processor. It's unlocked, so you can jack up the clock speed, which normals don't do anyway.



Perennial favorite Google wants to move android back to the mainline linux kernel.  No word yet on how they plan to get linux to phone home.



Pissed because people keep blocking ads, the ad industry came up with an 'unblockable' web tracker. It violates the GDPR out of the box. At this time, only Firefox with the uBlock Origin addon can stop it.  There are some fascinating bits in this article on ad tech and how majors are reacting.



Don't use Startpage for searches anymore. It was sold to a behavioral ad company.



No, IT blogs aren't that difficult.
Yes, using a spell-checker on IT topics is.

Backdoor Fixed?

Ddoor - cross platform backdoor using DNS txt records.
It's ok - it's a lightweight backdoor.


Google and Samsung fix android spying flaw.
So only the rest of the phones are vulnerable.


Microsoft denies bluekeep ransomware is theirs.
No, MS Teams and Bluekeep (RDP) are not responsible.
But publicly flog themselves over RDP.



GPS manipulation in Shanghai is probably NOT the Chinese military
Like IoT, GPS is one of those technologies that just begs for problems. If you're steering a ship or piloting a plane, you better have a reliable backup.. if there are problems, GPS will be the first thing to go.



NSA advisory addressing encrypted traffic inspection risks
Yeah, we think you just shouldn't encrypt anything... it's for the children...
No, seriously, read it.


Running linux commands with timeout



Speaking of linux, I was initially taken aback when I saw 'mpd'. Turns out it doesn't stand for Multiple Personality Disorder.

If You Think We're Gonna Fix That, We're Laughing at You

In case you needed another reason not to buy anything that says D-Link on it, more of their routers were discovered to have critical RCE bugs, and they won't be fixed. D-Link's 'out' is that they're end of life. This should be fun for the people who sadly purchased one of their products.


uBlock is having trouble with 1st party tracker blocking.


How the most damaging ransomware evades IT security - by Sophos



Linux

Wanna try out Monero digital coin?
I'd avoid it. The coin stealer found in the 64 bit CLI official binaries eats up too many cpu cycles and bandwidth.


How to recall forgotten linux commands
[apropos + history]



Security and Privacy

These 2 are Sadly Related Required Reading. There IS no privacy, but you need to know why....

How Knightscope's security robots surveil the public

The fantasy of opting out

It Goes Both Ways

Multi-platform "ACBackdoor" attacks Win + Lin by executing arbitrary code.

Ok: goes both ways, backdoor. I think we know where this is going.
Linux has zero detection rate, Win obviously has more. This is a new one, folks.



And it's Ransomware!

It's a bad day to be in Louisiana, especially if you're in state IT or need to access (some) state servers. Office of Technical Services (OTS) said some, but not all servers are infected. "Similar" to the ones that have attacked a swath of the US recently.

For some strange reason, the state had backups and is restoring them as we type.



Android camera app bug lets apps record video without permission.
The app's storage permission allows the camera to record video.
Nice job, Googs.
You should use a different camera app anyway. You can't turn off the bloody noise on mine.



Fresh from two straight days of talking about it with others, it looks like the Deepin linux distro is getting some sort of AI voice assistant. Even without reading the (ad-blocker hostile) article, we know it doesn't send everything you say to Google. Now, let's get that bay boy over to Ubuntu, and we're golden.



Macy's done got card details skimmed as part of another Magecart breach.
In further strange news, it was discovered a week after it happened.
It was reported to the relevant card brands and vicitms get 12 months of Experian identity protection service. I challenge you... pick out the oxymoron.

If you said Experian protection, you're right! You win a solid year of Experian protection!

Another Day at the Office- Google Lies to Congress

The Goog is in trouble. Read the article for only minor horrors about how the Fair and Balanced search engine works, and how many fingers are on the results you see. Yet another reason to use Duckduckgo. You can tell goog is important because they've already lied to Congress.


Researchers found 146 vulnerabilities in various android firmwares....
Plus the updates your carrier 'forgot' to send you....


Yippee! The PinePhone is now available for pre-order!
This version is for early adopters. $149 is so tempting....
You should also research your intended linux phone distro.


Manipulating text with grep
Go grep yourself.


Malware attack drops double remote access trojan in Windows to steal Chrome and Firefox browser data.

Amazon Sucks Eggs

To my horror, somebody in my family, who isn't me, was gifted an Amazon tablet. This is not a privacy-friendly device, to put it mildly. Even though it's android, you have to go through Amazon to get apps, which spy as badly as the ones on Google Play. If you've got any tips or tricks, please forward in the comments.



Speaking of linux, TecMint has the top 15 security-centric linux distros of 2019. Interesting to note how many are based on Debian. Or you could just route some or all through Tor (don't forget to contribute, financially or by hosting a node).



The aforementioned PineBook is mentioned and partially reviewed by a Vivaldi browser developer.



How the linux kernel balances the risks of public bug disclosure.



Impeachment hearing reveals White House phone security fail.

The Secret Life of Cardboard

Life of a wi-fi security researcher.
The only security presenter  at a wi-fi conference.



In smaller news, 125 new flaws were found in routers and NAS devices from popular brands.  Read em and weep.



Google is getting even more exciting than Faceyspaces these days, if only for sheer amount of time in the news, being evil. This time it's calendars, specifically thousands of them, possibly leaking private information online... there are over 8,000 of them, searchable via Google search.

Long ago, coworkers and friends wanted to use Google calendars because they were convenient. I made that 'you want me to kill babies?' face and they laughed at me because I was a tin foil loon. Besides - Google was huge - they'd protect your data. I told them that people who are serious about privacy don't post their personal information online. They laughed again. And again, I was right. Why doesn't anyone ever call me to tell me I was right, again?




Qualcomm chipsets, largely in android phones and tablets, are vulnerable to potentially serious flaws. The flaws could allow an attacker to steal sensitive information stored where they normally cannot get at it.  YOU KIDS GET OUT OF MY QUALCOMM SECURE WORLD!




First Microsoft put a linux subsystem in Windows. Now there's a PowerShell for linux.  We are living in the end times.



InfoTrax Systems was hacked more than 20 times from 2014 to 2016.
They failed to detect this (even though every display in the place said YOU'RE HACKED upon login). Finally, their very sophisticated detection system kicked in. And when I say sophisticated detection system, I mean the hack caused them to run out of disk space.

These ne'er do wells have been sued by the FTC for losing full names, social security numbers, email addresses, phone numbers, usernames and passwords. And some payment card information.  I can't even begin to tell you...this is a technology company!



A security breach at Hostinger might have affected 14 million customers. Cuz if you're a big hosting company, you want to make big mistakes.

I guess it's a pipe dream to ask people to take their business elsewhere, when a breach is discovered. They won't even read the news. Let the market decide.




With the PineBook and PinePhone becoming available, you'll be thrilled to get a Pocket P.C.  This guy is the electronics of a phone, with a linux OS, 1080p display and longer battery life. It ships with Debian 10. The display is 4.95" 1080p with touch. there are 2 models, $199 and $299, the latter which you can use for developing LoRa apps. They are powered by a 1.2GHz quad-core ARM Cortex-A53 cpu.  Target is May 2020.




There's a new app comin' around the mountain (and over it). If you have a smart phone, you can monitor drones in the area.  All sorts of information is available, surprisingly.  Although we're the target market, I can see this being very popular in the middle east.




Last, an actual helpful link: how to find temperature and fan speed in linux for CPU and GPU.
Some of the instructions are a bit funky. I like the xfce panel plugin.

The Jesus Ransomware

No, seriously... someone's working on it. The file extension is .jc

While the article said this much, it didn't mention what it did after it infected the computer.

Let me guess... it puts ten rules onscreen....

1. Thou shalt have no other processors before me
2. Thou shalt not covet thy neighbor's RAM
3. Thou shalt not not lay with Macs
4. In order to decripteth, thou shalt require 17 bitcoins and the Holy Hand Grenade of Antioch
5. Thou shalt not overclock, unlessith thou cooleth properly
6. Thou shalt not take the name of Linus Torvalds in vain
7. Remember Black Friday sales, and keep them holy
8. Thou shalt not steal CPU cycles for pictures of kitties
9. Honor thy processors that came before
10. If thou art bored, thou can get in some coveting of thy neighbor's wife's ass

Infection vector: clicking on a link in an email from A. Priest.

Damage: adds .jc extension to all the new little files, marks files Saved.

Repair: when repair is threatened, ransomware moves the infection to a different computer, in a different country; pretends nothing happened.

Oopsie - Faceyspaces did it again.
A bug in the app accesses the iPhone's camera while the user scrolls through News Feed.

Reached for comment, Faceyspaces confirmed the bug was "inadvertently introduced" and promised a fix was in the works.

"Inadvertently introduced" - the same way impeachment was inadvertently introduced.

• An oopherectomy is getting rid of ovaries. An uberectomy is getting rid of a car service that will either rape or kill you.

Bad Intel drivers give hackers a backdoor to the Windows kernel.
Patch yer damn computers.


As if it weren't enough that Google is after every possible piece of information it can get, it just went into healthcare. As if healthcare wasn't enough, it's now in banking, via checking accounts. Early next year, it will start monitoring air and change its name to Cyberdyne Systems. In response to the rapid growth, Google has decided to drop its privacy policy, beacause.. you know... Google.




How about a video on a DDOS attack?
Warning: don't click the link if you aren't interested.



I just get done mentioning the PinePhone, and here's an article, with it running KDE's OS.  This is Big News<tm>. No Google. No Apple. Open source hardware and the linux phone platform you choose. I'm going to wait for the next generation, which will hopefully have more horsepower. Or maybe I won't....



McAfee Antivirus lets hackers execute arbitrary code and escalate system privilege.  It was patched, but make sure your system is ok and that it was patched.


Newer Intel CPUs vulnerable to variant 2 of ZombieLoad attack.
Just in case your CPU wasn't vulnerable to the first version, here's your attack.
Here's further info on MDS, the hardware vulnerability.
These guys found the initial processor loophole.
These guys find themselves too busy singing to deal with vulnerabilities.



And because you just haven't had enough of today's shit show of vulnerabilities, your Trusted Platform Module may leak your VPN server's private key.




Aside from that, it was a pretty good day.

Blue Keeps Your Data

Fortunately, BlueKeep is difficult to implement, even though it's in the wild.
Patch yer damn machines already!


Encrypted emails on macOS found stored unencrypted.
Fortunately, Apple is going to fix the (Siri) bug.
in the meantime, there's a command to type in the terminal window.


The Texas Health Agency made names, addresses, Social Security numbers and treatment information of 6,617 people public. After the $1.6 million fine, they're Very Sorry (they got caught) and take your privacy seriously (because they got caught) and will do whatever is necessary to secure all data (so they won't get caught again).

In totally unrelated news, the taxpayers of Texas are on the hook for $1.6 million for the incompetence of Health and Human Services Commission.



Linux Corner

Using diff command to compare 2 files at the command line.

The ever-popular find command. Because there are so many bloody options, there will be a quiz at the end of the article.

Advanced PDF tricks. Sit, watermarks, and don't do that on my carpet.

The former mayor of Munich goes over how much Microsoft hates linux, especially after linux was adopted there. All the love for linux lately is total BS.

Basic troubleshooting with telnet and netcat

Pinebooks are comin'

I've written before about the Pinebook, the $199 laptop.

There are many pros and cons, if you read the reviews, but for $199, you get a functional laptop. The second batch went out to customers and they are naturally posting unboxing videos, because if you don't post video of you physically opening a box, you never got the box or what was supposed to be inside it.

At the price, it's almost a throwaway. I'm tempted, especially because you can't get a tablet for that little. I urge you to read the reviews, forum, and all of the specs before you say or do anything.  Understand that this is a 64 bit ARM processor.  There's also a linux-only open source hardware phone, to be available for pre-order. It's compatible with all major linux phone project software. In other words, buy the phone, install your favorite OS. I'm watching this project carefully.



So do you, for some strange reason, have an iDevice and run MS Office?
Be careful because it turns out that when you disable the macros, they aren't disabled. Aside from that, I'm sure Office is every bit as lovely as it is on Windows systems.



Popular period tracking apps share your sexual health data with Faceyspaces. Read about how this came to be and what, if anything, is being done about it.

Told you so.



The CEO of Foursquare has called on Congress to regulate the location data industry.  Next week, oil companies are going to call on Congress to regulate them too.  My question is whether the gentleman has already made the adjustments he asks for to his own company (the article doesn't say).

My suggestion: run your company the way you ask and encourage other companies to also. Because you don't need tech-illiterate, overreaching blowhards to legislate things for you. In fact, it's in your best interests to self-regulate, because you have no idea what will happen when the tech-illiterates 'help' you with regulation. Unless they're already in your pocket.




Happy weekend.

SSH......ssssshhhhhh

How to configure custom SSH connections to simply remote access.
Just a bit of ssh help.


Sometimes it's good to get your info on your own time, from a different source, and in longer form. Here are some great cybersec podcasts (clearancejobs.com)



Hey, are you missing a text, perhaps from Valentine's Day?
A boatload of people got them this morning.
It was across all carriers and allegedly involved 'a third party'.
About those people who lost someone between this morning and V-day.....



So those genetic databases you use to find out your ancestor was Trotsky?
Don't look now, but police just got a warrant to search the database.

Everybody repeat after me:  I told you so.

I took so much crap over this from so many, including other security people, plus the indignant who showed me the terms of the signup.  This is a smaller database - just wait for the bigger ones, if it hasn't already started.



A breach at an eye clinic exposes the information of 20,000 patients.
Can't these people see what they're doing?



You're gonna love this: specially crafted ZIP files used to bypass secure email gateways.  The ZIP file was larger than the uncompressed file.



How bout that Ring video doorbell?
Attackers can now steal your wifi password. Can you say "unprotected wireless access point?"  I knew you could. This is an absolutely idiotic flaw. Do drunk monkeys design these things?

Remember: stealing passwords is almost as bad as putting up insecure IoT goodies. And when I say insecure, I mean all of them.

Firewalling Your Phone and Other Things

One android-related item: I've said it before, but you never realize how bad things are until you put a firewall on your phone. This might sound difficult, but hear me out...

Let's take our normal android phone.. you install a cool internet radio app like TuneIn radio. You fire the program up and listen to whatever stations you like. It became my #1 player.

Since my phone met its maker, I had to transfer everything to a new one (whatever you pay for insurance is worth it). LG, in addition to great phones, has a great transfer app. I found this out after I did everything manually on the new phone, because I only know how to do complicated things - I get nervous with anything easy. My original firewall was No Root Firewall, named because you don't have to root your phone to use it. I decided to give Netguard firewall a try.

With a firewall, when you fire up TuneIn Radio, you will get ill seeing where it goes. The firewall shows you every destination. You will see the obvious packets to the radio's domain. Then you'll see a shitload(technical term) of packets going all over the place. Spend any time looking them up and you'll see they're all advertising. So for each call for radio, there are 5 or more ad calls. One of the things about android that pisses me off is the apps are allowed to 'come alive' when they're not being used. TuneIn runs constantly, contacting ad domains. It has absolutely dominated my logs, moreso than goog calls. 

Btw, you don't need goog. You don't need to put in a goog account. You don't have to allow goog outside the phone. Since all apps phone home, the firewall stops them. Many apps don't need any net access at all, yet demand it. If you install a puzzle app, there's no reason it needs access to your phone, camera, storage, and internet access. So stop it with a firewall. You also won't see ads on everything... it's a less automatic ad-blocker.





If you fail to update Win XP(!) and Win 7, you missed the first service pack for XP in forever. This is due to the Bluekeep vulnerability. If you haven't patched yet, stop being a willing idiot.  And if you keep port 3389 (RDP) open to the internet, you're asking for it. And if you use an ancient, non-supported OS, you're asking for it.

Your system is next.




Check out fwbackup. It's a new, open source backup that's simple. I just ran my first backup and it went well. You can select the compression for speed or efficiency.



What happens when you're successfully spearphished?
Your bank account becomes $742k lighter, like the city of Ocala, Florida.

Uptux - privilege escalation checks for linux


2 unpatched critical RCE flaws disclosed in rConfig



If you use Chrome browser on any OS, update it now.



The first Bluekeep attacks are here!
Not as nasty as reported, but you shoulda patched your systems a long time ago.



The Pentagon published AI ethical guidelines.
This is today's best, loudest, and longest laugh.



MS 365 helps improve orgs' security and compliance posture.
MS 365 now helps find and review insider security threats.

MS 365 babysits the IT department when the boss is out.
MS 365 makes pancakes.



How the FBI abused NSA mass surveillance data.
We're so much safer since 9-11.

Telco Malware?

Mandiant has discovered malware that siphoned texts out of the telco's network.
Infects servers that route SMS messages.
Tracks back to... get ready..... a Chinese Government sponsored hacking group.

The only question that remains is who gets it first: the NSA or the Chinese?




Speaking of Chinese food, I don't eat it because it all tastes the same, regardless of where it's from. Bland. No spice.

Speaking of Chinese spying, the US Department of the Interior has grounded its 800 drone fleet over concerns of Chinese spying.

Here's the good part - you're gonna love it: DHS alerted about data security issues, specifically on Chinese drones.  Who woulda thought? Didn't we (temporarily and partially) ban Huawei networking products for this reason?

Would all the heads of government agencies who understand tech please stand in line. All of you. Any at all? Not even one? No, Sir, you're the janitor.. I'm sure you know more than the heads of agencies, but you're not the head of this agency.




The Pirate Bay was down for a week due to a DDoS attack.
Gee, I wonder where that came from....



As of Firefox 73, you can no longer sideload extensions.
The comments are priceless.

I like to sit alone on weekends and sideload, so this will affect me.



Happy Friday, everyone.
Sleep tight, and pray the large numbers of little brown bedbugs don't bite.

The Entire Multiverse Has Blown Up

Microsoft just signed on with Oracle's OpenJDK; the official open source Java. They want to be good citizens within this group.

Ok, we need to look this gift horse in the mouth. First a linux subsystem under Windows. Now open source Java?  Santa, the Easter Bunny, and Jesus will be by your house after work, with your one million dollar Publishers Clearing House check.



So about those DNA genetic makeup services... Why shouldn't you use them?
Well, firstly, there's the sharing with the letter agencies. Second, insurance will want to get their hands on the data. Third, you'll only be disappointed when you find out one of your parents was a donkey in stone age Scotland.

Then there's this: GEDmatch is a service that matches your profile to other profiles that have been uploaded. The only problem is that there are way too many ways to get into the site. GEDmatch was apparently secured by the aforementioned donkey (before he graduated from Security School).

Just Don't Do It.




What is web.com? The company that owns Network Solutions and register.com.
And they just disclosed a small security breach.  Someone got into their network and accessed millions of records in late August.

Stolen were names, addresses, phone numbers, email addresses, and information about services offered to customers. And shoe sizes.

The good news is that no credit card information was compromised.
Why?
They encrypt the credit card information before it goes into their databases, per PCI (Payment Card Industry) standards.
Why not encrypt everything?
Because they're stupid.

Affected customers are being notified.
Customers are urged to go to web.com's headquarters and hang around, insisting to talk to the CEO and generally being a pest.




Who's in your firmware?
And why should you care?
This video gives you some idea of the problems and the soon-to-be problems.



11 best CAD software(s) for linux
Never let anyone tell you there's a shortage of linux offerings.




McAfee has been observing a new phishing campaign against O365, using a fake voicemail message. The victim gets an email that they missed a call and please login to their account to check their voicemail. When the attached HTML file is loaded, it redirects to the phishing site. Users login and POOF - the phishers have their credentials. Surprisingly, McAfee products will recognize this.



Last but not least, Kortrijk, a vacation spot in Belgium, uses a mobile phone provider's data to count the people in the town and where they come from. Even better, city officials will try to cross-reference this with credit and debit card databases. The city pays Proximus 40,000 EuroYens a year for this data.

Enough, I say. Time to anonymize services. This whole tracking thing has gotten way out of hand.

More Facial Recognition Woes

While messing around with this new blog's visual settings, I went for the most hideous combinations I could find. I hope you'll agree I succeeded. ThermionicEmissions has been described as "ugly as hell", "burns my retina", and "WTF?"  I can't hope to top that, so I may go more standard here. Please send a comment, regardless.



Facial recognition could compromise your medical images(!)
Rest assured, this data will be combined with other data and POOF - you're no longer anonymous.


Several vulnerabilities were found in VLC.
If you're not aware, VLC is an excellent media player that plays almost everything on almost every platform. One was in the OGG format, one ASF. These have been patched by VideoLAN, so update immediately.



The linux kernel is getting more reliable - Linus Torvalds.
Plus, what does a Chief Linux Maintainer do?
(at very least, a foul temper is required - and appreciated)


Faceyspaces will let someone find out your new identity even after you blocked them. Like an abusive ex.   I very desperately need to get me an account!


Another product I like, Firefox, has a bug that could copy saved passwords without the master password. This has been fixed as of 68.0.2.  Once again: do not save browser passwords or use browser password lockers. You're asking for it.


Brian Krebs on the $566 million breach of BriansClub.

• The 26 million cards in this breach represent almost 1/3 of the accounts for sale in the underground.
• What the watchdogs did.
• Large banks knew, smaller banks found out through VISA/MC alerts.

Apparently there's a Ford app that allows an owner/renter to remote control start/stop, lock/unlock, and track.

5 months after renting, a man still has the app and can still start/stop, lock/unlock, and track the vehicle. Ford has leapt to inaction by doing nothing.

While we're at it, the next time you rent a vehicle, DON'T HOOK YOUR PHONE TO THE STEREO. People don't delete their data and neither do the rental agencies. What kind of information is in your phone that you don't want to share with anyone who rents a car?

Xubuntu 19.10 Upgrade

The system told me there was an update, and I hit GO.
I don't normally do what I'm told, but I trust Ubuntu.
Upgrading from 19.04 to 19.10 (Extreme Elephant).


USUAL DISCLAIMER
I have a customized desktop, so upgrades don't look different.
I like my menus at the bottom, not the top.
The Ubuntu people sometimes get way too excited over new colors and shapes on the desktop. They should absolutely have their fun.


As usual, the upgrade completed quickly - perhaps 15-20 minutes.
Note for the ADD people: watch the terminal. It will ask you questions the moment you get busy with something else.

It went smoothly.
Then it got a little unpleasant, which I haven't experienced before.

Thunderbird threw up issues. The Lightning calendar coughed and died, as did a bunch of addins. The addins didn't play nicely with Thunderbird and only some of them were replaceable.

There were a few tiny icon changes.
BFD.

All of the sudden, the machine developed a locking screensaver.  This was disconcerting, as I didn't install it. All sorts of options presented themselves. Nothing worked, including adjusting the Illudium P-32 Explosive Space Modulator. After some research, I was sent to the screensaver to adjust everything there. Apparently this overrides other settings.


Otherwise, it works as it did - just fine.
Verdict: safe to update, unless you don't like versions starting with E.

Honest Crapware Stuff Here

You know those stupid exercises on websites where you have to prove you're human (CAPTCHAs)? Here's an interesting article that explains it and gives examples of how organizations are working around it. Warning: do not stab your monitor with a knife. It will ruin an LCD screen and chip a regular old monitor. Don't get me started on cell phones.

A dental data backup service offering ransomware protection got hit with ransomware. Ironic, no?


Foxit PDF software company suffered a data breach - you are asked to change your password.   Why you need to log into a site for software is beyond me.


Samsung Galaxy 10 fingerprint sensor bypassed with a cheap gel screen protector.   Don't use fingerprint readers, we said.

Linux Azure?

Per Microsoft: Azure Sphere OS, a linux-based IoT platform, will be available in February 2020.   Obviously this is an attempt to undermine linux


An Australian consumer watchdog sues Google over location data use.
Somebody needs to.


Q. What happens when your IoT device needs updating?
A. Nothing.


If you've got an iPhone 5, you better update it by November 3, or you'll lose your net access.  I don't like iDevices, but isn't that a little old?

Speaking of Apple, Airpods Pro will scan your ears to tell you if they fit correctly.  And if they're giving off enough superiority spray.


A religious website exposed user data for at least 6-7 months.  Oh God.


Mozilla acknowledged an issue in Firefox 70.0  with pages that use dynamic JavaScript. It affects at very least YouTube and Facebook.   And the problem is?


HAPPY BIRTHDAY, Internet  50 years young


A hacker security researcher managed to get access to all Xiaimo pet feeders around the world. She found 10,950 devices whose API allowed it to locate the rest of them.  Unrelated news: a pet obesity epidemic is upon us.


A persistent android dropper called Xhelper has infected 45,000 devices in the past 6 months. It plays ads incessantly, and if you try to uninstall, it reinstalls itself.





Have you ever spellchecked a tech blog? I have a very serious headache.

Android Apple Malicious Apps

17 malicious apps from the Apple app store infect users with clicker trojan malware.
Complete list at the link.



Not to be outdone, 42(!) dangerous android apps have been identified. They were formerly in the play store and contain harmful adware:

Smart Gallery, SaveInsta, Mini lite for Facebook, Free Radio FM Online, Free Video Downloader, Free social video downloader, File Downloader, Water Drink Reminder, Smart Notes for You, DU Recorder, Tank classic, Heroes Jump, Solucionario, Ringtone Maker, Video downloader, Ringtone Maker Pro, Basketball Perfect Shot, HikeTop+, MP4 video downloader, Flat Music Player, Free Top Video Downloader.

Raccoon, an information stealer, is becoming popular with the Bad People. Hundreds of millions infected. It infects devices and steals credit card data, email credentials, and more. The authors work to improve it and provide service, unlike certain operating systems. This falls into a category called Malware as a Service (MaaS) and you pay $200 a month to use it. It hails from Russia and gives you a free stuffed raccoon after the first month. That last bit was completely made up.




UniCredit, an Italian bank, had a breach of its systems, affecting millions of customer records. UniCredit has worked diligently on improving their outcomes. The proof is the 2.4 billion pounds invested after their previous breech affected only 400,000 customers. These guys are moving up!



If you use Adobe, and you shouldn't, nearly 7.5 million account details were discovered online. How did this happen? Their database was online without any password. Only the best and brightest.

“The information does not pose a direct financial or security threat. No credit cards or other payment information was exposed, nor were any passwords.”

our sister blog, ThermionicEmissions, features all sorts of sarcasm and Other Stuff.

Welcome. Maybe?

Since my original blog, ThermionicEmissions doesn't have a ton of readers, the only sensible thing to do was create another blog. This one will focus on Tech. Stuff you should know, from the headlines. Warnings about malware and virii. Funny tech stories. Interesting things to do with network cables.

ThermionicEmissions will continue to feature everything else in the known universe.

I pledge to bring stories to you in a timely manner.
I also pledge to bring a custom ugly theme. In the meantime, you're stuck with this one.