Always Pay Cash - Especially at Hotels

In an event no one could foresee, there's more malware at hotels. Oddly, this time the infection vector is email.  Sleep Easily.



We need a new malware category, called IronyWare. This is any kind of malware that attacks security firms, like Prosegur, which does alarms, physical security, and armored cars.



Adobe's Magento Marketplace breached, 250,000 affected.
Previous breach in 2013, affecting 38 million accounts.
At least they learn from their mistakes.



More android malware: this time it's stalkerware - check the story for apps.



Faceyspaces was down during Thanksgiving.
Global productivity up 76%



It was a light Thanksgiving, but Black Friday tech deals abound, even for hackers.


Sometimes I like to preview these entries before they go up, just to see how ugly the blog continues to look. But at least we're full of content, if not full of anything else.

Min 737 MAX

There is some serious agita around Boeing's 737 MAX.
People are nervous, and these are industry people.
The planes have been pulled from service, pending recertification.
This time it's Transport Canada.

I'm glad someone said it.
This is an industry which has a good safety record. In which systems are triple-reinforced. In which all participants have a vested interest in things running well. Everything about this smells.

In March 2019, China pulled 100 737 MAX 8s.
Also in March, the FAA said the plane is still airworthy.

airworthy (n) - a condition where wings provide lift and a plane can take off. You wouldn't want to be on the plane, though.



On the Border got hit and payment card info may have been stolen.
Maybe the corporations getting hit will convince people to go back to cash.
Nah.
If you like frozen strawberry margaritas, this is the place (I drink like a girl). Their hot brownie with vanilla ice cream is outta sight. Just don't use a credit card.



Top 25 most dangerous vulnerabilities

1. the people working around you


If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention.



LINUX

Ubuntu bug reveals your media files to others without warning.
Starts the sharing service at startup.


Turning your Raspberry Pi 4 into an edge gateway (part 1)

Faceyspaces, Twitter. Again.

Two third-party SDKs used by hundreds of thousands of #Android apps have been caught holding unauthorized access to users' personal data associated with their connected social media accounts. SHOCK - Faceyspaces and Twitter affected.

Not that this will affect a single login, but we Security Folk, who go running round in circles, waving our hands over our heads, have to make note of it.  Just wait til those video Faceyspaces interfaces hit homes. They will watch every facet of your life, including your sleep. Orwell was half right: Big Brother, yes - only it's not the government - it's Faceyspaces/Google/Amazon/Twitter.



Hot on the ransomware hit parade is DeathRansom.
Yeah, it didn't really encrypt your files at first, but it's back and does encrypt your files.



VCPI, an IT company, was hit with ransomware, preventing access to crucial patient records.  I think they call this irony.


How to mount your iDevice as an external drive in Ubuntu

We've Won an Award!

The Greatest Invisible Blog on the Internet!
The problem, as I see it, is that the only advertising I did for it was on the original blog, which gets..... less traffic than many blogs on the net. Because I don't advertise.

So you see, the fault is mine, for being advertising-deficient, among other things.



"Being right too soon is socially unacceptable." - Robert A. Heinlein



Pshaw - it was only 1.2 billion people's records (hacked in T-Mobile US).



Just in case you missed this, Amazon wants you to know that it's your fault if a Ring camera violates your privacy. The app the police use can request footage, no warrant required. Well, maybe Amazon has a point... they're getting richer on the stupidity of their customers. An American success story if there ever was one.  Ask anyone in security, or most people who have had their first coffee - this is a slow motion train wreck, like IoT.



Google is talking support for actual linux kernel in androids.
That could be interesting.


Senators ask if Faceyspaces really lets users opt out of location tracking.
Faceyspaces ask senators if they're really going to cut taxes.



Remember that unblockable super cookie that uBlock detected. Other ad-blockers are entering the fray.


Order a OnePlus? Some of your info might be among that taken in the breach. They are confident that payment info and passwords have not been compromised. The article doesn't mention how they're confident.


Kaspersky located 37 security issues in VNC.
So make sure to leave it open to the internet.
Oops, I was too quick - Shodan shows about 600,000 internet-facing machines.


NextCry targets NextCloud linux servers - no detection.

Friday Finale

I'm sad to say this is my last post.
For the week.


There is a patch for Outlook for Android for a recent vulnerability which could result in take over for a system.

Now I want you to be honest with me.... do you or anybody you know run Outlook on your android? It's almost as silly as Outlook for linux. It makes my head hurt. I know an iDevice user who runs it, but we agreed not to talk about it.



Also a BIND advisory, affecting multiple versions. It could be caused to cause a DDOS condition.



T-Mobile was hacked. The hackers got access to the data of prepaid customers.
Hackers insisted it be spelled TMobile.



AMD just released a $49 mainstream processor. Yes, for the normals out there, $49 will get you a nice processor. It's unlocked, so you can jack up the clock speed, which normals don't do anyway.



Perennial favorite Google wants to move android back to the mainline linux kernel.  No word yet on how they plan to get linux to phone home.



Pissed because people keep blocking ads, the ad industry came up with an 'unblockable' web tracker. It violates the GDPR out of the box. At this time, only Firefox with the uBlock Origin addon can stop it.  There are some fascinating bits in this article on ad tech and how majors are reacting.



Don't use Startpage for searches anymore. It was sold to a behavioral ad company.



No, IT blogs aren't that difficult.
Yes, using a spell-checker on IT topics is.

Backdoor Fixed?

Ddoor - cross platform backdoor using DNS txt records.
It's ok - it's a lightweight backdoor.


Google and Samsung fix android spying flaw.
So only the rest of the phones are vulnerable.


Microsoft denies bluekeep ransomware is theirs.
No, MS Teams and Bluekeep (RDP) are not responsible.
But publicly flog themselves over RDP.



GPS manipulation in Shanghai is probably NOT the Chinese military
Like IoT, GPS is one of those technologies that just begs for problems. If you're steering a ship or piloting a plane, you better have a reliable backup.. if there are problems, GPS will be the first thing to go.



NSA advisory addressing encrypted traffic inspection risks
Yeah, we think you just shouldn't encrypt anything... it's for the children...
No, seriously, read it.


Running linux commands with timeout



Speaking of linux, I was initially taken aback when I saw 'mpd'. Turns out it doesn't stand for Multiple Personality Disorder.

If You Think We're Gonna Fix That, We're Laughing at You

In case you needed another reason not to buy anything that says D-Link on it, more of their routers were discovered to have critical RCE bugs, and they won't be fixed. D-Link's 'out' is that they're end of life. This should be fun for the people who sadly purchased one of their products.


uBlock is having trouble with 1st party tracker blocking.


How the most damaging ransomware evades IT security - by Sophos



Linux

Wanna try out Monero digital coin?
I'd avoid it. The coin stealer found in the 64 bit CLI official binaries eats up too many cpu cycles and bandwidth.


How to recall forgotten linux commands
[apropos + history]



Security and Privacy

These 2 are Sadly Related Required Reading. There IS no privacy, but you need to know why....

How Knightscope's security robots surveil the public

The fantasy of opting out

It Goes Both Ways

Multi-platform "ACBackdoor" attacks Win + Lin by executing arbitrary code.

Ok: goes both ways, backdoor. I think we know where this is going.
Linux has zero detection rate, Win obviously has more. This is a new one, folks.



And it's Ransomware!

It's a bad day to be in Louisiana, especially if you're in state IT or need to access (some) state servers. Office of Technical Services (OTS) said some, but not all servers are infected. "Similar" to the ones that have attacked a swath of the US recently.

For some strange reason, the state had backups and is restoring them as we type.



Android camera app bug lets apps record video without permission.
The app's storage permission allows the camera to record video.
Nice job, Googs.
You should use a different camera app anyway. You can't turn off the bloody noise on mine.



Fresh from two straight days of talking about it with others, it looks like the Deepin linux distro is getting some sort of AI voice assistant. Even without reading the (ad-blocker hostile) article, we know it doesn't send everything you say to Google. Now, let's get that bay boy over to Ubuntu, and we're golden.



Macy's done got card details skimmed as part of another Magecart breach.
In further strange news, it was discovered a week after it happened.
It was reported to the relevant card brands and vicitms get 12 months of Experian identity protection service. I challenge you... pick out the oxymoron.

If you said Experian protection, you're right! You win a solid year of Experian protection!

Another Day at the Office- Google Lies to Congress

The Goog is in trouble. Read the article for only minor horrors about how the Fair and Balanced search engine works, and how many fingers are on the results you see. Yet another reason to use Duckduckgo. You can tell goog is important because they've already lied to Congress.


Researchers found 146 vulnerabilities in various android firmwares....
Plus the updates your carrier 'forgot' to send you....


Yippee! The PinePhone is now available for pre-order!
This version is for early adopters. $149 is so tempting....
You should also research your intended linux phone distro.


Manipulating text with grep
Go grep yourself.


Malware attack drops double remote access trojan in Windows to steal Chrome and Firefox browser data.

Amazon Sucks Eggs

To my horror, somebody in my family, who isn't me, was gifted an Amazon tablet. This is not a privacy-friendly device, to put it mildly. Even though it's android, you have to go through Amazon to get apps, which spy as badly as the ones on Google Play. If you've got any tips or tricks, please forward in the comments.



Speaking of linux, TecMint has the top 15 security-centric linux distros of 2019. Interesting to note how many are based on Debian. Or you could just route some or all through Tor (don't forget to contribute, financially or by hosting a node).



The aforementioned PineBook is mentioned and partially reviewed by a Vivaldi browser developer.



How the linux kernel balances the risks of public bug disclosure.



Impeachment hearing reveals White House phone security fail.

The Secret Life of Cardboard

Life of a wi-fi security researcher.
The only security presenter  at a wi-fi conference.



In smaller news, 125 new flaws were found in routers and NAS devices from popular brands.  Read em and weep.



Google is getting even more exciting than Faceyspaces these days, if only for sheer amount of time in the news, being evil. This time it's calendars, specifically thousands of them, possibly leaking private information online... there are over 8,000 of them, searchable via Google search.

Long ago, coworkers and friends wanted to use Google calendars because they were convenient. I made that 'you want me to kill babies?' face and they laughed at me because I was a tin foil loon. Besides - Google was huge - they'd protect your data. I told them that people who are serious about privacy don't post their personal information online. They laughed again. And again, I was right. Why doesn't anyone ever call me to tell me I was right, again?




Qualcomm chipsets, largely in android phones and tablets, are vulnerable to potentially serious flaws. The flaws could allow an attacker to steal sensitive information stored where they normally cannot get at it.  YOU KIDS GET OUT OF MY QUALCOMM SECURE WORLD!




First Microsoft put a linux subsystem in Windows. Now there's a PowerShell for linux.  We are living in the end times.



InfoTrax Systems was hacked more than 20 times from 2014 to 2016.
They failed to detect this (even though every display in the place said YOU'RE HACKED upon login). Finally, their very sophisticated detection system kicked in. And when I say sophisticated detection system, I mean the hack caused them to run out of disk space.

These ne'er do wells have been sued by the FTC for losing full names, social security numbers, email addresses, phone numbers, usernames and passwords. And some payment card information.  I can't even begin to tell you...this is a technology company!



A security breach at Hostinger might have affected 14 million customers. Cuz if you're a big hosting company, you want to make big mistakes.

I guess it's a pipe dream to ask people to take their business elsewhere, when a breach is discovered. They won't even read the news. Let the market decide.




With the PineBook and PinePhone becoming available, you'll be thrilled to get a Pocket P.C.  This guy is the electronics of a phone, with a linux OS, 1080p display and longer battery life. It ships with Debian 10. The display is 4.95" 1080p with touch. there are 2 models, $199 and $299, the latter which you can use for developing LoRa apps. They are powered by a 1.2GHz quad-core ARM Cortex-A53 cpu.  Target is May 2020.




There's a new app comin' around the mountain (and over it). If you have a smart phone, you can monitor drones in the area.  All sorts of information is available, surprisingly.  Although we're the target market, I can see this being very popular in the middle east.




Last, an actual helpful link: how to find temperature and fan speed in linux for CPU and GPU.
Some of the instructions are a bit funky. I like the xfce panel plugin.

The Jesus Ransomware

No, seriously... someone's working on it. The file extension is .jc

While the article said this much, it didn't mention what it did after it infected the computer.

Let me guess... it puts ten rules onscreen....

1. Thou shalt have no other processors before me
2. Thou shalt not covet thy neighbor's RAM
3. Thou shalt not not lay with Macs
4. In order to decripteth, thou shalt require 17 bitcoins and the Holy Hand Grenade of Antioch
5. Thou shalt not overclock, unlessith thou cooleth properly
6. Thou shalt not take the name of Linus Torvalds in vain
7. Remember Black Friday sales, and keep them holy
8. Thou shalt not steal CPU cycles for pictures of kitties
9. Honor thy processors that came before
10. If thou art bored, thou can get in some coveting of thy neighbor's wife's ass

Infection vector: clicking on a link in an email from A. Priest.

Damage: adds .jc extension to all the new little files, marks files Saved.

Repair: when repair is threatened, ransomware moves the infection to a different computer, in a different country; pretends nothing happened.

Oopsie - Faceyspaces did it again.
A bug in the app accesses the iPhone's camera while the user scrolls through News Feed.

Reached for comment, Faceyspaces confirmed the bug was "inadvertently introduced" and promised a fix was in the works.

"Inadvertently introduced" - the same way impeachment was inadvertently introduced.

• An oopherectomy is getting rid of ovaries. An uberectomy is getting rid of a car service that will either rape or kill you.

Bad Intel drivers give hackers a backdoor to the Windows kernel.
Patch yer damn computers.


As if it weren't enough that Google is after every possible piece of information it can get, it just went into healthcare. As if healthcare wasn't enough, it's now in banking, via checking accounts. Early next year, it will start monitoring air and change its name to Cyberdyne Systems. In response to the rapid growth, Google has decided to drop its privacy policy, beacause.. you know... Google.




How about a video on a DDOS attack?
Warning: don't click the link if you aren't interested.



I just get done mentioning the PinePhone, and here's an article, with it running KDE's OS.  This is Big News<tm>. No Google. No Apple. Open source hardware and the linux phone platform you choose. I'm going to wait for the next generation, which will hopefully have more horsepower. Or maybe I won't....



McAfee Antivirus lets hackers execute arbitrary code and escalate system privilege.  It was patched, but make sure your system is ok and that it was patched.


Newer Intel CPUs vulnerable to variant 2 of ZombieLoad attack.
Just in case your CPU wasn't vulnerable to the first version, here's your attack.
Here's further info on MDS, the hardware vulnerability.
These guys found the initial processor loophole.
These guys find themselves too busy singing to deal with vulnerabilities.



And because you just haven't had enough of today's shit show of vulnerabilities, your Trusted Platform Module may leak your VPN server's private key.




Aside from that, it was a pretty good day.

Blue Keeps Your Data

Fortunately, BlueKeep is difficult to implement, even though it's in the wild.
Patch yer damn machines already!


Encrypted emails on macOS found stored unencrypted.
Fortunately, Apple is going to fix the (Siri) bug.
in the meantime, there's a command to type in the terminal window.


The Texas Health Agency made names, addresses, Social Security numbers and treatment information of 6,617 people public. After the $1.6 million fine, they're Very Sorry (they got caught) and take your privacy seriously (because they got caught) and will do whatever is necessary to secure all data (so they won't get caught again).

In totally unrelated news, the taxpayers of Texas are on the hook for $1.6 million for the incompetence of Health and Human Services Commission.



Linux Corner

Using diff command to compare 2 files at the command line.

The ever-popular find command. Because there are so many bloody options, there will be a quiz at the end of the article.

Advanced PDF tricks. Sit, watermarks, and don't do that on my carpet.

The former mayor of Munich goes over how much Microsoft hates linux, especially after linux was adopted there. All the love for linux lately is total BS.

Basic troubleshooting with telnet and netcat

Pinebooks are comin'

I've written before about the Pinebook, the $199 laptop.

There are many pros and cons, if you read the reviews, but for $199, you get a functional laptop. The second batch went out to customers and they are naturally posting unboxing videos, because if you don't post video of you physically opening a box, you never got the box or what was supposed to be inside it.

At the price, it's almost a throwaway. I'm tempted, especially because you can't get a tablet for that little. I urge you to read the reviews, forum, and all of the specs before you say or do anything.  Understand that this is a 64 bit ARM processor.  There's also a linux-only open source hardware phone, to be available for pre-order. It's compatible with all major linux phone project software. In other words, buy the phone, install your favorite OS. I'm watching this project carefully.



So do you, for some strange reason, have an iDevice and run MS Office?
Be careful because it turns out that when you disable the macros, they aren't disabled. Aside from that, I'm sure Office is every bit as lovely as it is on Windows systems.



Popular period tracking apps share your sexual health data with Faceyspaces. Read about how this came to be and what, if anything, is being done about it.

Told you so.



The CEO of Foursquare has called on Congress to regulate the location data industry.  Next week, oil companies are going to call on Congress to regulate them too.  My question is whether the gentleman has already made the adjustments he asks for to his own company (the article doesn't say).

My suggestion: run your company the way you ask and encourage other companies to also. Because you don't need tech-illiterate, overreaching blowhards to legislate things for you. In fact, it's in your best interests to self-regulate, because you have no idea what will happen when the tech-illiterates 'help' you with regulation. Unless they're already in your pocket.




Happy weekend.

SSH......ssssshhhhhh

How to configure custom SSH connections to simply remote access.
Just a bit of ssh help.


Sometimes it's good to get your info on your own time, from a different source, and in longer form. Here are some great cybersec podcasts (clearancejobs.com)



Hey, are you missing a text, perhaps from Valentine's Day?
A boatload of people got them this morning.
It was across all carriers and allegedly involved 'a third party'.
About those people who lost someone between this morning and V-day.....



So those genetic databases you use to find out your ancestor was Trotsky?
Don't look now, but police just got a warrant to search the database.

Everybody repeat after me:  I told you so.

I took so much crap over this from so many, including other security people, plus the indignant who showed me the terms of the signup.  This is a smaller database - just wait for the bigger ones, if it hasn't already started.



A breach at an eye clinic exposes the information of 20,000 patients.
Can't these people see what they're doing?



You're gonna love this: specially crafted ZIP files used to bypass secure email gateways.  The ZIP file was larger than the uncompressed file.



How bout that Ring video doorbell?
Attackers can now steal your wifi password. Can you say "unprotected wireless access point?"  I knew you could. This is an absolutely idiotic flaw. Do drunk monkeys design these things?

Remember: stealing passwords is almost as bad as putting up insecure IoT goodies. And when I say insecure, I mean all of them.

Firewalling Your Phone and Other Things

One android-related item: I've said it before, but you never realize how bad things are until you put a firewall on your phone. This might sound difficult, but hear me out...

Let's take our normal android phone.. you install a cool internet radio app like TuneIn radio. You fire the program up and listen to whatever stations you like. It became my #1 player.

Since my phone met its maker, I had to transfer everything to a new one (whatever you pay for insurance is worth it). LG, in addition to great phones, has a great transfer app. I found this out after I did everything manually on the new phone, because I only know how to do complicated things - I get nervous with anything easy. My original firewall was No Root Firewall, named because you don't have to root your phone to use it. I decided to give Netguard firewall a try.

With a firewall, when you fire up TuneIn Radio, you will get ill seeing where it goes. The firewall shows you every destination. You will see the obvious packets to the radio's domain. Then you'll see a shitload(technical term) of packets going all over the place. Spend any time looking them up and you'll see they're all advertising. So for each call for radio, there are 5 or more ad calls. One of the things about android that pisses me off is the apps are allowed to 'come alive' when they're not being used. TuneIn runs constantly, contacting ad domains. It has absolutely dominated my logs, moreso than goog calls. 

Btw, you don't need goog. You don't need to put in a goog account. You don't have to allow goog outside the phone. Since all apps phone home, the firewall stops them. Many apps don't need any net access at all, yet demand it. If you install a puzzle app, there's no reason it needs access to your phone, camera, storage, and internet access. So stop it with a firewall. You also won't see ads on everything... it's a less automatic ad-blocker.





If you fail to update Win XP(!) and Win 7, you missed the first service pack for XP in forever. This is due to the Bluekeep vulnerability. If you haven't patched yet, stop being a willing idiot.  And if you keep port 3389 (RDP) open to the internet, you're asking for it. And if you use an ancient, non-supported OS, you're asking for it.

Your system is next.




Check out fwbackup. It's a new, open source backup that's simple. I just ran my first backup and it went well. You can select the compression for speed or efficiency.



What happens when you're successfully spearphished?
Your bank account becomes $742k lighter, like the city of Ocala, Florida.

Uptux - privilege escalation checks for linux


2 unpatched critical RCE flaws disclosed in rConfig



If you use Chrome browser on any OS, update it now.



The first Bluekeep attacks are here!
Not as nasty as reported, but you shoulda patched your systems a long time ago.



The Pentagon published AI ethical guidelines.
This is today's best, loudest, and longest laugh.



MS 365 helps improve orgs' security and compliance posture.
MS 365 now helps find and review insider security threats.

MS 365 babysits the IT department when the boss is out.
MS 365 makes pancakes.



How the FBI abused NSA mass surveillance data.
We're so much safer since 9-11.

Telco Malware?

Mandiant has discovered malware that siphoned texts out of the telco's network.
Infects servers that route SMS messages.
Tracks back to... get ready..... a Chinese Government sponsored hacking group.

The only question that remains is who gets it first: the NSA or the Chinese?




Speaking of Chinese food, I don't eat it because it all tastes the same, regardless of where it's from. Bland. No spice.

Speaking of Chinese spying, the US Department of the Interior has grounded its 800 drone fleet over concerns of Chinese spying.

Here's the good part - you're gonna love it: DHS alerted about data security issues, specifically on Chinese drones.  Who woulda thought? Didn't we (temporarily and partially) ban Huawei networking products for this reason?

Would all the heads of government agencies who understand tech please stand in line. All of you. Any at all? Not even one? No, Sir, you're the janitor.. I'm sure you know more than the heads of agencies, but you're not the head of this agency.




The Pirate Bay was down for a week due to a DDoS attack.
Gee, I wonder where that came from....



As of Firefox 73, you can no longer sideload extensions.
The comments are priceless.

I like to sit alone on weekends and sideload, so this will affect me.



Happy Friday, everyone.
Sleep tight, and pray the large numbers of little brown bedbugs don't bite.