Microsoft says users are protected from alleged NSA malware

Up-to-date Microsoft customers are safe from the purported National Security Agency spying tools dumped online.

Up-to-date Microsoft customers are safe from the purported National Security Agency spying tools dumped online, the software company said Saturday, tamping down fears that the digital arsenal was poised to wreak havoc across the internet .

In a blog post , Microsoft Corp. security manager Phillip Misner said that the software giant had already built defenses against nine of the 12 tools disclosed by TheShadowBrokers, a mysterious group that has repeatedly published NSA code . The three others affected old, unsupported products. “Most of the exploits are already patched,” Misner said.

The post knocked back warnings from some researchers that the digital espionage toolkit made public by TheShadowBrokers took advantage of undisclosed vulnerabilities in Microsoft’s code. That would have been a potentially damaging development because such tools could swiftly be repurposed to strike across the company’s massive customer base.

Those fears appear to have been prompted by experts using even slightly out-of-date versions of Windows in their labs. One of Microsoft’s fixes, also called a patch, was only released last month.”I missed the patch,” said British security architect Kevin Beaum.

Beaumont wasn’t alone. Matthew Hickey, of cybersecurity firm Hacker House, also ran the code against earlier versions of Windows on Friday. But he noted that many organizations put patches off, meaning “many servers will still be affected by these flaws.” Everyone involved recommended keeping up with software updates. “We encourage customers to ensure their computers are up-to-date,” Misner said.

Public charging stations may make your phone vulnerable to hacking

 

Plugging your smartphone to public charging stations or computers using USB cables can make your device vulnerable to hackers.

Plugging your smartphone to public charging stations or computers using USB cables can make your device vulnerable to hackers, warn scientists including one of Indian origin. Experts have long known the risks of charging a smartphone using a USB cord that can also transfer data.

The new research at New York Institute of Technology (NYIT) shows that even without data wires, hackers using a “side channel” can quickly find out what websites a user has visited while charging a device. Researchers, including NYIT Kiran Balagani, warn that “a malicious charging station” can use seemingly unrelated data -such as a device’s power consumption – to extract sensitive information.

As a walk through any airport will show, most people are happy to plug their phones into public charging stations, putting their phones at risk of “juice-jacking,” when a compromised outlet steals data through a USB data cable, researchers said. The study is the first to show that even without a data cable, hackers can analyse a device’s power needs to get at users’ private information, with speed and accuracy depending on a number of factors.

The side-channel attacks were successful as “webpages have a signature that reflects the way they load and consume energy,” said Paolo Gasti, assistant professor at NYIT. The remaining power traces act as “signatures” and help hackers discover which sites have been visited. The researchers conducted the study using power use signatures they had previously identified and tested the attack under various conditions.

After collecting power traces via a range of smartphones browsing popular websites, researchers launched attacks and checked the accuracy with which their algorithms could determine which websites were visited while the phones were plugged in. Various factors such as battery charging level, browser cache enabled/disabled, taps on the screen, and Wi-Fi/LTE influenced the accuracy rate in tracing websites visited.

Some conditions, such as a fully charged battery, facilitate a fast and accurate penetration, while others, such as tapping the screen while a page is loading, lessen hackers’ ability to determine what website is being viewed. The important finding from the study is that such an attack can be carried out successfully, researchers said.

In the study, the slower, less accurate attempts at penetration were still accurate within six seconds about half the time. “Although this was an early study of power use signatures, it’s very likely that information besides browsing activity can also be stolen via this side channel,” said Gasti. “Since public USB charging stations are so widely used, people need to be aware that there might be security issues with them. For example, informed users might choose not to browse the web while charging,” he said.