March 6, 2019

Google reveals BuggyCow macOS security flaw

By John E Dunn

Google’s Project Zero researchers have revealed a “high severity” macOS security flaw nicknamed ‘BuggyCow’ that Apple appears to be in no rush to patch.

The vulnerability is in the way macOS implements a memory optimization and protection routine used by all OS file systems called copy-on-write (COW).

The principle behind COW is that it provides a way for different processes to efficiently and securely share the same data object in memory until they need to modify it in some way – at that point, they must make their own copy of the data rather than changing the data in memory.

Writes Google’s Jann Horn:

It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be able to exploit double-reads in the destination process.

Using BuggyCow, malware already running on a Mac might be able to tamper with the copy of the data written to the disk in a way that is invisible to the file system:

This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug.

If that related to a privileged process, that might be a route to a privilege escalation capable of interfering with sensitive data.


Leaky ski helmet speakers expose conversations and data

By Danny Bradbury

On the face of it, Outdoor Tech’s Chips 2.0 speakers seem like the perfect accessory for any on-trend snow sports enthusiast.

The $130 Bluetooth helmet speakers attach to your audio-equipped ski helmet, giving you 10 hours of wireless audio with the ability to talk to your friends. There’s just one problem, said a security researcher this week: Everyone else can listen in too, and do a lot more besides.

Alan Monie, a researcher at cybersecurity consulting company Pen Test Partners, discovered the flaws after poking around in the walkie-talkie app that comes with the Bluetooth headphones.

Rather than connecting directly with other users on the slopes via Bluetooth, the app connects your Chips 2.0 speakers to the internet via your smartphone, meaning that all communications pass through Outdoor Tech’s servers.

The app allows you to form groups of other skiers or snowboarders, all of whom can then talk to each other via the app. Monie tried it out by creating a group and typing in his own name. That’s when the problems started, he says:

I began setting up a group and noticed that I could see all users. I started searching for my own name and found that I could retrieve every user with the same name in their account.

He dug a little deeper, typing ‘A’ into Outdoor Tech’s application programming interface (API), which is the software interface that the app uses to communicate with the back-end server. IT showed 19,000 users.


Google Photos disables sharing on Android TV

By Lisa Vaas

Imagine you’re setting up your Android TV to display pictures of your cat, or your kids, or your main squeeze, in Backdrop/Ambient Mode.

But instead of photos of your trip to Belize, you see a parade of strangers: as in, Google accounts belonging to people you don’t know, including their profile pictures, all showing up as linked accounts.

That’s what happened to Twitter user Prashanth, who on Saturday posted a 44-second long clip of the accounts that streamed by when he was trying to access his Vu Android TV through the @Google Home app on his phone.

Fortunately, the strangers’ photos stayed tucked away, given that access to the photos themselves was blocked. In fact, Google Photos functionality didn’t seem to be working.

Prashanth told Android Police that he first spotted the bug on his home TV, a 55-inch Vu LED TV (model number: 55SU134) with built-in Android TV functionality, while setting up Backdrop/Ambient Mode through his Pixel 2XL phone.


Facebook criticized for misuse of phone numbers provided for security

By Lisa Vaas

Facebook’s under fire – again. This time, it’s for using phone numbers provided for security reasons, for other things.

Users are once again accusing Facebook of playing fast and loose with their privacy, allowing users to look up their profiles using the phone number they thought they were only providing for 2FA (two-factor authentication). What’s more, there’s no getting out of it, since Facebook has no opt-out for the “look me up by my phone number” setting.

This latest scandal blew up on Friday, when Emojipedia founder Jeremy Burge publicly criticized Facebook’s information-slurping operation.

In a string of tweets sent after that, Burge said that he noticed that in September Facebook slipped in an understated “and more,” appended to the original phone number prompt. The “and more” linked to a page that explained that the number would be used for purposes other than securing your account.


Companies are flying blind on cybersecurity

By Danny Bradbury

IT managers are flying blind in the battle to protect their companies from cyberattacks, according to a survey released today. The result is that getting pwned is now the rule, rather than the exception.

Sophos, which publishes this blog, worked with market research company Vanson Bourne to survey 3,100 IT managers across the globe. The survey covered companies in 12 countries, and quizzed organizations with as few as 100 users and as many as 5,000, finding that 68% of companies had been hit by a cyberattack in the last year.

The reason surfaced quickly enough; companies can’t see what’s happening on their endpoint devices. It leaves them struggling to prevent attacks or even to know how and when they happened.

Most threats (37%) are only discovered when they reach servers, and another 37% are detected on the network. Attacks typically start on endpoint devices, so if companies are only picking them up on the server, that means attackers have already been snooping around their infrastructure for some time. Unfortunately, 17% of IT managers didn’t know exactly how long. Those who did know said that attackers had been on their networks for 13 hours before being detected. That’s plenty of time to steal a juicy batch of data or to plant some nasty ransomware.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation