allheart55 Cindy E

Trojans capable of installing additional malware are currently affecting the stock firmware of at least 26 Android smartphone models. Russian anti-malware company Dr Web found that the Pixus Touch 7.85 3G, the Marshal ME-711, and more than 20 other smartphones for Android currently ship with stock firmware that is infected with malware. Android.DownLoader.473.origin is one of those trojans. It's a downloader program that starts up every time an affected device turns on, monitors the Wi-Fi signal, and communicates with its command-and-control (C&C) server in order to load up additional malware like Adware.AdBox.1.origin. Doctor Web provides some insight on this secondary threat in a blog post: "Once installed, it displays a small box image on top of running applications. The image cannot be removed from the screen. It is a shortcut clicking on which opens a catalog integrated into Adware.AdBox.1.origin. In addition, the Trojan shows advertisements." Showing advertisements, you say? Sounds a lot like some of the other Android trojans Dr Web's researchers have come across. Even so, Adware.AdBox.1.origin is more persistent than other types of malware. That's because Android.DownLoader.473.origin will download and install Adware.AdBox.1.origin if and when the user should choose to delete it. Android.DownLoader.473.origin isn't the only downloader trojan affecting these smartphones. Doctor Web also detected Android.Sprovider.7 embedded in the stock firmware of Lenovo A319 and Lenovo A6000. This malware loads up Android.Sprovider.12.origin, a payload which is capable of downloading APKs and displaying advertisements. Both of those capabilities help generate income for the attackers. As Dr Web explains: "It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users." At this time, users of the following smartphone models identified by Doctor Web should assume they're affected: MegaFon Login 4 LTE Irbis TZ85 Irbis TX97 Irbis TZ43 Bravis NB85 Bravis NB105 SUPRA M72KG SUPRA M729G SUPRA V2N10 Pixus Touch 7.85 3G Itell K3300 General Satellite GS700 Digma Plane 9.7 3G Nomi C07000 Prestigio MultiPad Wize 3021 3G Prestigio MultiPad PMT5001 3G Optima 10.1 3G TT1040MG Marshal ME-711 7 MID Explay Imperium 8 Perfeo 9032_3G Ritmix RMD-1121 Oysters T72HM 3G Irbis tz70 Irbis tz56 Jeka JK103 I would recommend customers contact their company's technical support specialists as soon as possible. Most of those companies are working on a fix at the Russian anti-virus company's prompting, but they might have some mitigation steps users can implement while they await clean firmware. Source: Graham Cluley

The new year brings new things, and at this point it’s all but traditional for cable and satellite companies to announce customers will face higher charges in January than in the December before. But Comcast isn’t just increasing its bundle rates a few percentage points in 2017; it’s going to significantly increase how much all of its pay-TV customers pay for a pair of highly controversial fees. Comcast customers around the nation have received notices this month that prices are indeed going up as of Jan. 1, 2017. And that includes all prices — TV bundles, double- and triple-play bundles, internet and phone prices, all of it, with some geographic variation. But the most egregious increase is perhaps in two line-item fees that Comcast doesn’t include in its bundle pricing: the “Broadcast TV” and “Regional Sports” fees. When we broke down a real-life Comcast bill in February, our customer was paying a total of $8 for the Broadcast TV and Regional Sports fees. That same customer recently sent us the table of fee increases Comcast is imposing in their region on Jan. 1. The Broadcast TV fee is increasing from $5 to $7 and the Regional Sports fee from $3 to $5. That means the total combined fee is going from $8 to $12 — a staggering 50% increase, equating to an extra $48 a year just for these two fees. Comcast customers all over the country have sent in their notices to other tech sites, including Ars Technica and DSL Reports, showing the same fee increases. As we’ve explained before, Comcast says it imposes these after-the-fact fees to recoup costs associated with purchasing the right to distribute programming. Since the 1990s, local broadcast stations have been permitted to negotiate their retransmission rates with cable companies, and cable companies have been permitted to pass costs through to consumers. Similarly, Comcast and other companies charge extra for recouping the cost of carrying regional sports networks in your package, whether or not you want them. (It can be almost impossible to get a bundle without.) Those are the “Regional Sports Fees,” without which Comcast says that it’s simply too expensive to carry whatever channel is playing sports ball in your neck of the woods. But Comcast owns many of the regional sports networks it puts in your package. They’re NBC Sports channels. Which means that Comcast customers are paying that fee so Comcast can bring you Comcast-owned stations that you may or may not ever watch. As we also noted when we reviewed cable bills, though, there’s also already a pass-through charge for recouping retransmission fees on your bill, and it’s your bill. A group of customers from seven states filed a lawsuit against Comcast in federal court in California in October over these two fees. The complaint claims that by not clearly disclosing these fees when advertising or signing customers up for services, it’s committing false advertising. “Comcast intentionally does not explain or define what the Broadcast TV Fee and the Regional Sports Fee are – even in the fine print,” argues the complaint. “Instead, Comcast deceptively groups these ‘fees’ in the fine print with ‘taxes and fees, including regulatory recovery fees.’ A consumer reading the fine print would reasonably assume the Broadcast TV Fee and the Regional Sports Fee relate to government fees or taxes.” That case, however, is facing a significant uphill battle just to be heard in court, since Comcast is one of the many major companies out there that shuts all customers into mandatory binding arbitration that bars your right to a class-action suit. Source: Consumerist

Europol, the Federal Bureau of Investigations, and other law enforcement agencies have arrested 34 individuals who paid for DDoS-for-hire services. On 12 December, the Europol's European Cybercrime Centre (EC3) announced it worked with law enforcement authorities from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the United States to target users of distributed denial-of-service tools. Together, the countries arrested 34 such individuals and interviewed 100 more between 5 December and 9 December as part of the European Multidisciplinary Platform against Criminal Threats (EMPACT), a framework which is designed to protect critical infrastructure and information systems in the EU. Amongst those the FBI arrested was Sean Sharma, a 26-year-old graduate student at the University of Southern California, for having used DDoS tools like booters and stressers to take down a San Francisco chat service company’s website. Many of the other detained were less than 20 years old. Steven Wilson, Head of Europol's European Cybercrime Centre (EC3), notes that it's up to law enforcement to steer individuals like Sharma away from committing computer crime. As quoted in Europol's statement: "Today’s generation is closer to technology than ever before, with the potential of exacerbating the threat of cybercrime. Many IT enthusiasts get involved in seemingly low-level fringe cybercrime activities from a young age, unaware of the consequences that such crimes carry. One of the key priorities of law enforcement should be to engage with these young people to prevent them from pursuing a criminal path, helping them understand how they can use their skills for a more constructive purpose." This takedown, dubbed Operation Tarpit, reaches back to Operation Vulcanalia, another effort launched in the United Kingdom. As part of that older investigation, the National Crime Agency (NCA) arrested Grant Manser, 20, of Kidderminster, a town near Birmingham, for managing the DDoS stresser Netproof that according to Bleeping Computer generated £50,000 (US $63,200) from its nearly 13,000 users. A UK judge ultimately tried Manser and sentenced him to two years in youth detention. It would now appear Europol and others are using a database obtained from Manser to go after Netproof's users one by one and take some form of action against them. Netspoof DDoS booter website (Credit: Sam Bowne) By no means is this the first time authorities have made a DDoS-related arrest. But many of those previous investigations usually involve DDoS botnet operators. In this case, authorities went after users of DDoS-for-hire services, which goes to show law enforcement's patience with crimeware is wearing thin. The arrests come at the same time as a campaign that's designed to move tech-savvy teenagers away from a life of crime. As Europol explains: "The teenagers that become involved in cybercrime often have a skill set that could be put to a positive use. Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to anyone with an interest in these areas." Our world is at no loss for digital threats today, so let's hope Europol succeeds in persuading some of those individuals to join the good fight. Source: Graham Cluley

I use Cortana all of the time on my Windows phone but I doubt that I'll ever have a smart refrigerator or the like.....

Microsoft is planning to allow fridges, toasters, thermostats, and other Internet of Things (IoT) devices to access Cortana. The software giant is bringing Cortana to IoT devices with its Windows 10 Creators Update, due in March next year. ZDNet spotted a presentation about the plans at Microsoft’s WinHEC conference in China recently, and the company is outlining its software requirements to hardware makers in preparation of devices coming to the market. “This will enable you to build devices with displays, so you get that immersive Cortana experience,” explains Microsoft program manager Carla Forester. “Any kind of smart device with a screen can now take advantage of Cortana.” Microsoft wants device makers to use a screen to get the full Cortana UI, and the company is providing fridges, thermostats, and toasters as example devices that we’ll likely see in the future. Microsoft is also enabling far-field speech communications and wake on voice in the Creators Update to Windows 10. Both will let hardware makers create devices that are capable of waking up through voice queries and have the ability to hear users from across a room. Microsoft has also started testing some UI enhancements to Cortana that make it more immersive to use full-screen and with just your voice on Windows 10. Microsoft isn’t committing to specific hardware for Cortana, but it’s clearly laying the software groundwork to enable third parties to build devices with screens that will act as a gateway to Cortana in the cloud. Source: The Verge

Yahoo has fixed a critical cross-site scripting (XSS) vulnerability that could have been exploited by hackers to access any Yahoo Mail user’s private emails. If left unpatched, the vulnerability could have potentially put an estimated 300 million Yahoo Mail accounts at risk. The security flaw was found by Finnish vulnerability researcher Jouko Pynnönen, who works for the security company Klikki Oy. Pynnönen has a history of uncovering XSS vulnerabilities in web-facing software, having responsibly disclosed security holes in the likes of WordPress and Uber in the past. The flaw, which was patched in late November after Pynnönen responsibly disclosed details to Yahoo’s security team, allowed malicious JavaScript to be embedded within a specially-formatted email message. What should send a chill down the spine is that an attack exploiting the vulnerability would not require any user interaction. All a victim would have to do to have their account compromised is simply view an email, with no requirement to click on a link or open an attachment. The malicious code embedded in the email could be used by an attacker to compromise an account, change its settings, forward messages to an external account, or even spread a Yahoo Mail-infecting virus. For his efforts Pynnönen was rewarded with a $10,000 prize under Yahoo’s bug bounty program. This isn’t the first time that Pynnönen has earned himself a handsome reward for reporting critical security vulnerabilities in Yahoo’s mail system. A year ago, Pynnönen told Yahoo about a different but similar stored XSS vulnerability that allowed attackers to embed malicious script inside boobytrapped email messages. Just viewing the message was enough to trigger the malicious code – meaning that the recipient did not have to be tricked into clicking on any links or opening any attachments. The malicious script could be used to compromise the account – changing settings, or forwarding/sending emails without the user’s consent. Pynnönen provided Yahoo’s security team with a proof-of-concept email that would forward a victim’s inbox to a third-party website, and a virus that would infect the account and attach itself to every subsequent email sent from the Yahoo Mail account. It’s easy to imagine how such an attack could spread very quickly, and would be attractive for online criminals to exploit. Fortunately, there were no known exploits in the wild, and the vulnerability was patched in January 2016. It’s a shame that the work which Yahoo did then to fix that flaw didn’t also protect against the latest vulnerability. A stronger filter at Yahoo’s gateway, hunting for malicious HTML, could have stopped these types of attacks dead in their tracks. Thank goodness that Pynnönen believes in responsibly disclosing details of his findings to technology companies, and that Yahoo responded appropriately in this latest case. Source: welivesecurity

It’s that time of year again, when we’re happy to hear about shoppers performing good deeds and random acts of kindness. Some of those warm-hearted folks we know better than others, including Pennsylvania’s “Santa B” layaway angel, who has now covered the cost of Walmart shoppers’ layaway items for the third year in a row. A total of 194 shoppers had their layaway accounts paid off to the tune of $46,265.59, CNBC reports, after a woman walked into the store and handed over a check from “Santa B.” The story was originally reported by a Facebook page called the Bedford County Free Press. Though this year a woman dropped off Santa B’s check and last year it was a man, a Walmart spokeswoman confirmed that the checks are always signed by a man. The donor’s identity is unknown, but his staff calls the chosen store a few days ahead of time. This is the largest amount a Walmart store has received so far this season, she added. “When customers quietly pay off others’ layaway items, we’re reminded how good people can be,” Walmart said in a statement. One of the shoppers who was a recipient of Santa B’s generosity told CNBC that she still owed $75 for an Xbox intended for her 6-year-old grandson before Santa B stepped in. “I’m just so thankful that he’s going to get it this year,” she said. “Thank you so much to [the person who] paid it off for me.” Source: Consumerist

If you’re like everyone else you know, you’ve probably been doing — or plan to do — a bit of online holiday shopping this year. Missing a delivery could put a serious kink in your day, but don’t let that fear draw you into a scammer’s net. The “missed delivery notice” or “delivery failure notification” scam is one that the Federal Trade Commission has had its eye on in recent years as online shopping has skyrocketed in popularity. Here’s how it works: Scammers posing as the USPS, FedEx, UPS email their targets with a notice claiming that they’ve missed a delivery, and will need to enter certain personal details or payment information to get that package redelivered, or click a link to another site for more information. Don’t do it. “Here’s the truth: the email is bogus and there is no package,” the FTC says. “And if you download the attachment or click on a link, you’re likely to end up with a virus or malware on your device.” It’s a pretty widespread problem, especially this time of year. In the last month or so, local Better Business Bureaus and authorities around the country have been warning consumers of the scam, including Arizona, Connecticut, Indiana, North Carolina, and Texas. Across the pond, the United Kingdom’s Parcel Delivery Service has alerted folks to a similar scheme. In a related phishing trend, scammers pretend to be Amazon reaching out to customers saying that there’s been a problem processing their order, Pittsburgh’s KDKA reports. Basically, if you’ve got an email address, you could be a target. Here are a few suggestions from the FTC on how to spot these bogus emails: • It tells you to click on a link or download an attachment • It urges you to take immediate action • It asks you to “re-confirm” personal or financial information • If you hover over the link in the email, it won’t show the official website of the supposed sender, like the USPS website. Source: Consumerist

If you have a Sony network-connected CCTV camera, you may have a security problem. Researchers at SEC Consult uncovered a backdoor in Sony IP cameras that could allow a hacker to remotely execute malicious code, spy on users, brick devices, or recruit them into a DDoS botnet. As the vandal-resistant Sony IPELA Engine IP cameras at the center of the security scare are largely used by big businesses and authorities to protect people and property, you would be right to wonder how owners of the vulnerable devices would feel if they knew their security cameras had been hijacked by an unknown party. A critical security hole allows an attacker to remotely enable the Sony IP cameras’ Telnet/SSH service, opening an opportunity to grab root privileges. Predictably, the vulnerability can be exploited because the cameras have factory default passwords hardcoded into their firmware – allowing anyone in the world to log into them if the devices are accessible via the internet. Stefan Viehböck led the research team, which used an internet-based analysis system called IoT Inspector to examine a firmware update issued by Sony. Within minutes it had ascertained that Sony’s update code contained two password hashes, one of which – “admin” – was cracked immediately. The use of “admin” as a password was, sadly, no particular surprise. After all, the admin password was also hardcoded to be… you guessed it… “admin”. It is presumed that, given time, the root password would also be cracked. SEC Consult informed Sony of the backdoor in October, and firmware updates were released for all of the affected camera models at the end of last month. With the current wave of IoT-powered DDoS attacks, exploiting poorly-secured webcams and other devices, it should go without saying that users should apply the firmware update as a matter of priority. Sony would not confirm the reason why the backdoor into its cameras existed, but researchers believe the most likely explanation is that it may have been introduced as way to allow the company to debug the device during development, or for testing during the manufacturing process. However, the company did say that it was “grateful to SEC Consult for their assistance in enhancing network security” for its products. And, to be fair, it appears that Sony responded reasonably quickly after being informed of the problem. It’s certainly not always the case that manufacturers act so responsibly. For instance, a research team at Cybereason has claimed this week that a pair of two high profile vulnerabilities they found in a wide variety of IP surveillance cameras two years ago have been ignored by manufacturers, leaving devices open to authentication bypass and web server command injection. According to Cybereason, the makers of webcams just aren’t taking security seriously enough: “Most of the cameras run older versions of Linux, like version 2.6.26, while a few run the most recent version from around 3.0 and up. While the OS is somewhat modern, all the cameras were running extremely old and vulnerable software, especially programs that people use to connect to the Internet. The Web server software found in many of the cameras, for example, was from around 2002.” It is clear that too many vulnerabilities in too many web-connected devices are going unpatched. 2017 is going to see a rise in IoT security issues unless manufacturers start to do a seriously better job of protecting their devices from attack. Source: Tripwire

The Electronic Privacy Information Center (EPIC) is asking the Federal Trade Commission (FTC) to ban vulnerable IoT-enabled toys from the marketplace. In its complaint, the non-profit public interest research organization calls out two toys for spying on its young consumers: My Friend Cayla and the i-Que Intelligent Robot, both of which are produced by a Los-Angeles company called Genesis. "By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States." Wow, okay... so how exactly are these toys spying on children? Scandinavian consultancy Bouvet has the answer. It was commissioned by the Norwegian Consumer Council to investigate the two Genesis toys along with the Hello Barbie, a doll in which researchers discovered some serious privacy flaws back in 2015. The trouble begins with how the toys communicate with the Internet. While the toys' apps use HTTPS encryption most of the time, the applications for My Friend Cayla and i-QUE don't when they're communicating with the Weather Underground commercial weather service provider. An attacker could therefore intercept those questions sent over HTTP as part of a man-in-the-middle attack. It gets worse. Conversations between a child and either of the two toys don't remain private. Instead they're sent to a speech recognition technology company called Nuance Communication, as Bouvet explains: "In the agreements for Cayla and i-QUE it states that 'When you ask the app a question, this information request is stored on a Nuance Communication (for Apple-based users) or IVONA or Google (for Android/Google-based users) server in the cloud.' On Android the apps sends a request to the nuance.com webpage when they launches. If the apps cannot get the website they tell the user that they cannot connect to the internet, so the apps might use it as a test to see if they have access to Internet. The IP address 205.197.192.116, which is the IP address the apps uploads what we believe to be recordings to, is from Massachusetts Burlington, which is the same city where Nuance has their main offices." And if that wasn't bad enough, a "toyfail" report published by the Norwegian Consumer Council reveals both toys come with an unreadable set of terms which, among other things, don't specify what constitutes personal data and allows the toys to share all data with unspecified "vendors, consultants, and other service providers." Pretty scary stuff. Given those privacy shortcomings, it's no wonder organizations other than EPIC are filing their own complaints. On 6 December, the European Consumer Organization (BEUC) announced it had written letters to the the European Commission, the EU network of national data protection authorities, and the International Consumer Protection and Enforcement Network (ICPEN) accusing My Friend Cayla and i-QUE of violating several European consumer laws. Monique Goyens, Director General of The European Consumer Organization (BEUC), said this on the subject: "Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy. As long as manufacturers are not willing to take these issues seriously it is clear that this type of connected products is not suitable for children. "As an increasing number of manufacturers and providers move into the digital field, they must be careful with the security and privacy risks that the digital world opens up. "With internet-connected devices gaining ground, market supervision is becoming increasingly complex. The challenge to make sure European consumers are properly protected is huge and co-operation between authorities and consumer organizations is key. The fact that business malpractices spill over national borders is making this task even harder." At this time, it's unclear what will come of EPIC's complaint. We can only hope it will spark a conversation among IoT manufacturers to incorporate more robust security and privacy safeguards into their products. In the meantime, we as consumers have a responsibility to demand better products. That includes toys that DON'T spy on our children, even if that means buying a regular old teddy bear and letting our children's imagination do its work. Nothing is worth jeopardizing our children's privacy. If a toy doesn't live up to such a basic expectation, exercise your power of the purse and don't buy it. Toy manufacturers will begin to catch on sooner or later. Source: Graham Cluley

I don't know, Dougie. I think Windows 10 is a lot faster than 7 or 8 Sent From My Windows Phone

That's great, Peter. If there is one thing that Dell makes super easy to do, that's flashing the BIOS.

Thanks, Tony. I am able to access it now.

I haven't downloading the new version yet, Pete and now I am glad that I haven't.

I haven't been able to access my Hotmail (outlook.com) account for several hours. I keep getting "This page cannot be displayed" error. Is anyone else having an issue with outlook.com?