Daily Archives: November 23, 2020

Crash Analysis Series: An exploitable bug on Microsoft Teams ?! A Tale of One Bit

Crash Analysis Series: An exploitable bug on Microsoft Teams ?! A Tale of One Bit

This is a story about a Microsoft Teams crash that we investigated recently. At first glance, it looked like a possible arbitrary code execution vulnerability, but after diving deeper we realized that there’s another explanation for the crash.

TLDR;

  • ZecOps ingested and analyzed an event that seems exploitable on a Windows machine from Microsoft Teams
  • This machine has a lot of other anomalies
  • ZecOps verifies anomalies such as: blue screens, sudden crashes, mobile restarts without clicking on the power button; and determines if they are related to cyber attacks, software/hardware issues, or configuration problems. 
  • Spoiler alert (text beneath the black highlight):

After further analyzing the crash, we realized that the faulty hardware was causing this exploitable event to appear, and not related to an intentional attack. We suspect that a bit flip was caused due to a bad hardware component.

  • Business impact: Hardware problems are more common than we think. Repeating faulty hardware-issues lead to continuous loss of productivity, context-switches, and IT/Cyber disruptions. Identifying faulty hardware can save a lot of time. We recommend using the freely available and agent-less tool ZOTOMATE to identify what is SW/HW problems. ZecOps is leveraging machine-learning and its mobile threat intelligence, mobile DFIR, as well as endpoints and servers crash analysis solution, and mobile apps crash-analysis to perform such analysis at scale. 

The crash

Looking at the call stack, we saw that the process crashed due to a stack overflow:

 # Child-SP          RetAddr               Call Site
00 000000e5`84600f20 00007ffd`9048ebbc     ntdll!RtlDispatchException+0x3c
01 000000e5`84601150 00007ffd`9049a49a     ntdll!RtlRaiseStatus+0x5c
02 000000e5`846016f0 00007ffd`9048ebbc     ntdll!RtlDispatchException+0xa5cba
03 000000e5`84601e20 00007ffd`9049a49a     ntdll!RtlRaiseStatus+0x5c
04 000000e5`846023c0 00007ffd`9048ebbc     ntdll!RtlDispatchException+0xa5cba
05 000000e5`84602af0 00007ffd`9049a49a     ntdll!RtlRaiseStatus+0x5c
06 000000e5`84603090 00007ffd`9049350e     ntdll!RtlDispatchException+0xa5cba
07 000000e5`846037c0 00007ffd`9048eb73     ntdll!KiUserExceptionDispatch+0x2e
08 000000e5`84603f60 00007ffd`9049a49a     ntdll!RtlRaiseStatus+0x13
09 000000e5`84604500 00007ffd`9048ebbc     ntdll!RtlDispatchException+0xa5cba
0a 000000e5`84604c30 00007ffd`9049a49a     ntdll!RtlRaiseStatus+0x5c
0b 000000e5`846051d0 00007ffd`9048ebbc     ntdll!RtlDispatchException+0xa5cba
[307 more pairs of RtlRaiseStatus and RtlDispatchException]
272 000000e5`846fb670 00007ffd`9049a49a     ntdll!RtlRaiseStatus+0x5c
273 000000e5`846fbc10 00007ffd`9049350e     ntdll!RtlDispatchException+0xa5cba
274 000000e5`846fc340 00007ff7`8b93338a     ntdll!KiUserExceptionDispatch+0x2e
275 000000e5`846fcad0 00007ff7`8b922e4d     Teams!v8_inspector::V8StackTraceId::ToString+0x39152a
[More Teams frames...]
2c1 000000e5`846ffa40 00007ffd`9045a271     kernel32!BaseThreadInitThunk+0x14
2c2 000000e5`846ffa70 00000000`00000000     ntdll!RtlUserThreadStart+0x21

It can be seen from the call stack that the original exception occurred earlier, at address 00007ff7`8b93338a. Due to an incorrect exception handling, the RtlDispatchException function raised the STATUS_INVALID_DISPOSITION exception again and again in a loop, until no space was left in the stack and the process crashed. That’s an actual bug in Teams that Microsoft might want to fix, but it manifests itself only when the process is about to crash anyway, so that might not be a top priority.

The original exception

To extract the original exception that occurred on address 00007ff7`8b93338a, we did what Raymond Chen suggested in his blog post, Sucking the exception pointers out of a stack trace. Using the .cxr command with the context record structure passed to the KiUserExceptionDispatcher function, we got the following output:

0:000> .cxr 000000e5846fc340
rax=00005f5c70818010 rbx=00005f5c70808010 rcx=000074e525bf0e08
rdx=0000006225f01970 rsi=000016b544b495b0 rdi=0001000000000000
rip=00007ff78b93338a rsp=000000e5846fcad0 rbp=0000000000000009
 r8=000000e5846fcb68  r9=00000000ff000000 r10=0000000000ff0000
r11=000000cea999e331 r12=00005f5c70808010 r13=0000000000001776
r14=0000006225f01970 r15=000000e5846fcaf8
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
Teams!v8_inspector::V8StackTraceId::ToString+0x39152a:
00007ff7`8b93338a 488b07          mov     rax,qword ptr [rdi] ds:00010000`00000000=????????????????

The original exception was triggered by accessing an invalid pointer of the value 00010000`00000000. Not only does the pointer look invalid, It’s actually a non-canonical address in today’s hardware implementations of x86-64, which means that it can’t ever be allocated or become valid. Next, we looked at the assembly commands below the crash:

0:000> u
Teams!v8_inspector::V8StackTraceId::ToString+0x39152a:
00007ff7`8b93338a 488b07          mov     rax,qword ptr [rdi]
00007ff7`8b93338d 4889f9          mov     rcx,rdi
00007ff7`8b933390 ff5008          call    qword ptr [rax+8]
[...]

Very interesting! If we can control the rdi register at this point of the execution, that’s a great start for arbitrary code execution. All we need to control the instruction pointer is to be able to build a fake virtual table, or to use an existing one, and the lack of support for Control Flow Guard (CFG) makes things even easier. As a side note, there’s an issue about adding CFG support which is being actively worked on.

At this point, we wanted to find answers to the following questions:

  • How can this bug be reproduced?
  • What source of input can trigger the bug? Specifically, can it be triggered remotely?
  • To what extent can the pointer be controlled?

The original exception stack trace

In order to try and reproduce the crash, we needed to gather more information about what was going on when the exception occurred. We checked the original exception stack trace and got the following:

0:000> k
 # Child-SP          RetAddr               Call Site
00 000000e5`846fcad0 00007ff7`8b922e4d     Teams!v8_inspector::V8StackTraceId::ToString+0x39152a
01 000000e5`846fcb40 00007ff7`8b92f29b     Teams!v8_inspector::V8StackTraceId::ToString+0x380fed
02 000000e5`846fcbc0 00007ff7`8b92f21f     Teams!v8_inspector::V8StackTraceId::ToString+0x38d43b
03 000000e5`846fcc00 00007ff7`8b9308c0     Teams!v8_inspector::V8StackTraceId::ToString+0x38d3bf
04 000000e5`846fcc80 00007ff7`8b064123     Teams!v8_inspector::V8StackTraceId::ToString+0x38ea60
05 000000e5`846fce10 00007ff7`8b08b411     Teams!v8::Unlocker::~Unlocker+0xf453
06 000000e5`846fce60 00007ff7`8b088f16     Teams!v8::Unlocker::~Unlocker+0x36741
07 000000e5`846fd030 00007ff7`8b087eff     Teams!v8::Unlocker::~Unlocker+0x34246
08 000000e5`846fd190 00007ff7`8b053b79     Teams!v8::Unlocker::~Unlocker+0x3322f
09 000000e5`846fd1c0 00007ff7`8b364e51     Teams!v8::Unwinder::PCIsInV8+0x22059
0a 000000e5`846fd2e0 00007ff7`8b871abd     Teams!v8::internal::TickSample::print+0x54071
0b 000000e5`846fd3d0 00007ff7`8b84e3b8     Teams!v8_inspector::V8StackTraceId::ToString+0x2cfc5d
0c 000000e5`846fd420 00005ebc`b2fdc6a9     Teams!v8_inspector::V8StackTraceId::ToString+0x2ac558
0d 000000e5`846fd468 00007ff7`8b800cb8     0x00005ebc`b2fdc6a9
[More Teams frames...]
4c 000000e5`846ffa40 00007ffd`9045a271     kernel32!BaseThreadInitThunk+0x14
4d 000000e5`846ffa70 00000000`00000000     ntdll!RtlUserThreadStart+0x21

It can be deduced from the large offsets that something is wrong with the symbols, as Raymond Chen also explains in his blog post, Signs that the symbols in your stack trace are wrong. In fact, Teams comes with no symbols, and there’s no public symbol server for it, so the symbols we see in the stack trace are some of the few functions exported by name. Fortunately, Teams is based on Electron which is open source, so we were able to match the Teams functions on the stack to the same functions in Electron. At first, we tried to do that with a binary diffing tool, but it didn’t work so well due to the executable/symbol files being so large (exe – 120 MB, pdb – 2 GB), so we ended up matching the functions manually.

Here’s what we got after matching the symbols:

 # Call Site
00 WTF::WeakProcessingHashTableHelper<...>::Process
01 blink::ThreadHeap::WeakProcessing
02 blink::ThreadState::MarkPhaseEpilogue
03 blink::ThreadState::AtomicPauseMarkEpilogue
04 blink::UnifiedHeapController::TraceEpilogue
05 v8::internal::GlobalHandles::InvokeFirstPassWeakCallbacks
06 v8::internal::Heap::CollectGarbage
07 v8::internal::Heap::CollectGarbage
08 v8::internal::Heap::HandleGCRequest
09 v8::internal::StackGuard::HandleInterrupts
0a v8::internal::Runtime_StackGuard
0b v8::internal::compiler::JSCallReducer::ReduceArrayIteratorPrototypeNext
0c Builtins_ObjectPrototypeHasOwnProperty
[...]

WTF was indeed our reaction when we saw where the exception occurred (which, of course, means Web Template Framework).

From what we can see, the hasOwnProperty object method was called, at which point the garbage collection was triggered, and the invalid pointer was accessed while processing one of its internal hash tables. Could it be that we found a memory bug in the V8 garbage collection? We believed it to be quite unlikely. And if so, how do we reproduce it?

Switching context

At this point we put the Teams crash on hold and went on to look at the other crashes which occurred on the same computer. Once we did that, it all became clear: it had several BSODs, all of the type MEMORY_CORRUPTION_ONE_BIT, indicating a faulty memory/storage hardware. And looks like that’s exactly what happened in the Teams crash: the faulty address was originally a NULL pointer, but because of a corrupted bit it became 00010000`00000000, causing the exception and the crash.

Conclusion

The conclusion is that the relevant computer needs to have its faulty hardware replaced, and of course there’s nothing wrong with V8’s garbage collection that has anything to do with the crash. That’s yet another reminder that hardware problems can cause various anomalies that are hard to explain, such as this Teams crash or crashing at the xor eax, eax instruction.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

Advice: Protecting Lone Workers Through Covid Restrictions

Protecting lone workers is an issue that businesses may not have come across previously, especially those based in busy city centre office blocks pre-coronavirus. Yet with many thriving business districts deserted through a lockdown and not everyone able to work from home, it’s an issue more management teams are having to consider. 
 Firms could be inadvertently putting employees at risk of security, mental health/wellbeing and medical risk
Here, Jonathan Fell of digital security provider Digital ID, outlines some of the ways to protect members of staff who find themselves lone working during lockdown number two.

“Most businesses have got to grips with the challenges around managing teams remotely, but what about the needs of those employees who can’t or won’t work from home. In the following Government guidelines, firms could be inadvertently putting employees who need to stay office-based at risk in other areas – security, mental health/wellbeing and medical suitability being just a few of the potential causes for concern.

“Even if there are a small number of employees in the workplace you should still put procedures in place for times in the day when workers will be alone for example lunchbreaks and variations in contracted hours.”

Security and Access Control
“Security is one of the main concerns,” said Jonathan. “Ensuring that staff members are not put into dangerous situations in the workplace. Don’t forget, empty offices could be a potential target for robberies, leaving staff on their own more vulnerable to theft. Your lone worker will need briefing and support on how to identify and report threats. 

Empty offices are targets for robberies, lone office workers need support on dealing with such threats

“An update to the security system will be needed to reflect who is coming in and out of the building. In terms of ID cards that means making sure your policies are updated to include new procedures relating to lone workers and the building.

“Someone should be appointed to monitor the login records to ensure staff arrive and leave at the expected times – luckily that’s easy to do remotely with a digital ID card system. If your current access control system doesn’t allow you to do this, you should really think about upgrading your system.”

Find out more about this over on the Digital ID blog: https://www.digitalid.co.uk/blog/to-upgrade-or-not-to-upgrade-why-2020-is-the-time-to-migrate-your-access-control-system

“Having someone on call and close enough to respond in an emergency is another important consideration. A tip here is to print emergency contact details onto the reverse of their ID or access cards. Given that these should be kept on the person at all times, it means contact numbers easy to find and use if a person needs help quickly.

“Things like checking your employee has good mobile phone coverage in the place of work is something a lot of people don’t think about but is very important these days. If they don’t, then they’ll need an active landline within easy access.

“If photo ID is connected to an access control system, you may need to restrict access to some of the building in light of any new changes. Think about where needs to be accessed and how frequently by the lone worker, perhaps moving some things around within the building to ensure they can stick to a smaller footprint that will put them less at risk.

“A final thought on security is that coming in and leaving at exactly the same time every day carrying laptops or other equipment could make them a target for personal theft, this needs to be weighed up against travelling at times when it’s dark and isolated. All should be covered in a full risk assessment.

“It’s worth remembering that as a business you’re responsible for workers lone working at home too, so where there will not be complicated access concerns here, looking after the mental health and wellbeing of your team should remain a priority. As well as making sure they know what to do in a medical emergency”.

Digital ID is the UK’s largest ID card company offering a complete service. For 25 years the organisation has to help businesses and their employees stay secure. It provides a range of products and services including plastic ID card printing, ID card printers and lanyards tailored to meet the requirements of its customers. Find out more at www.digitalid.co.uk

‘Antiquated process’: data regulator on obtaining Cambridge Analytica warrant

UK information commissioner calls for international approach to emerging threat

The information commissioner has criticised the “antiquated process” that led to Facebook getting hold of Cambridge Analytica’s servers before the UK regulator itself, and renewed calls for an international approach to data privacy to tackle the emerging threat of data havens.

Elizabeth Denham, the information commissioner, spoke to Damian Collins MP, the former chair of the digital, culture, media and sport committee, who led the parliamentary enquiry into disinformation, on his podcast Infotagion. She described discovering that Facebook was inside the offices of defunct electioneering consultancy Cambridge Analytica while in the middle of an interview with Channel 4’s Jon Snow.

Continue reading...

70,000 Phishing Emails Sent Impersonating the IRS: How to Stay Protected

tracking apps

70,000 Phishing Emails Sent Impersonating the IRS: How to Stay Protected 

You wake up, log in to your Outlook, and find an email waiting in your inbox from support@irs.gov. Much to your confusion, the email claims that you have an outstanding account balance that you must pay immediately, or you will face legal charges.  

As it turns out, you’re not the only one to receive this message. According to Bleeping Computera phishing campaign was recently discovered impersonating the IRS, with 70,000 spoofed emails reaching users’ inboxes. Let’s unpack how this scheme works.  

Watch Out for Spoofed IRS Emails 

This scam targets Microsoft 365 users and threatens to press legal charges unless the recipient settles an outstanding account balance. And while some of the telltale signs of a phishing scam are grammar errors and misspellings throughout the body and address of the email, this threat is a little more sophisticated. To make this threat appear more credible, scammers use the email support@irs.gov, causing recipients to believe that the email actually did originate from the IRS. The email also appears to have no spelling errors at first glance, further increasing its legitimacy to an unsuspecting user.  

This scam is not foolproof, however. Upon further investigation, a recipient would see that the email’s header reveals the real sending domain: shoesbagsall.com. What’s more, the reply-to field redirects the replies to legal.cc@outlook.com instead of the IRS support mailing address. 

To further entice users into falling for this scheme, scammers threaten arrest or other legal charges and tell recipients that they will forward the emails to their employer to withhold the fake outstanding amounts from their wages. Additionally, the emails also instruct the targets to immediately reply with payment details to avoid having their credit affected.  

Send IRS Scammers Packing With These Security Tips  

 The best way to stay protected from phishing scams? Knowing how to spot them! Follow these security tips and best practices to prevent falling for fraudsters’ tricks:  

Go directly to the source 

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be cautious of emails asking you to act 

 If you receive an email or text asking you to download software or pay a certain amount of money, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily. 

Hover over links to see and verify the URL 

 If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Change your password 

 If you accidentally respond to a phishing email with your personal data, change the passwords to any accounts you suspect may have been impacted. Make sure your new credentials are strong and unique from your other logins. For tips on how to create a more secure password, read our blog oncommon password habitsand how to safeguard your accounts.   

Consider using identity theft protection 

 A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post 70,000 Phishing Emails Sent Impersonating the IRS: How to Stay Protected appeared first on McAfee Blogs.

Zooming with the Grandkids: Five Easy Video Chat Apps for the Holidays

Holiday Video Chat

Zooming with the Grandkids, Nieces, and Nephews: Five Free and Easy Video Chat Apps for the Holidays

All the kids are doing it, and so can you.

If you haven’t hopped onto a video chat with the family yet, the holidays are a great time to give it a whirl. While there are plenty of apps and services out there for video chatting, I put together a quick list of the more no-nonsense options.

Broadly speaking, I selected video chatting apps that are free, relatively straightforward, and possibly something you already have on your smartphone, tablet, or computer. From there, I also offer up some advice that can keep you and your family safe while you chat. Let’s take a look …

Video chatting with your smartphone or tablet

One of the easiest ways to hop onto a video chat is with your smartphone or tablet. They can save you a bit of configuring and fiddling around with settings because these devices have cameras, microphones, and video chat apps already built in. In that way, they’re optimized for video chat, so using one of them is practically “point and shoot.”

Depending on what smartphone or tablet you have, you have a couple of leading options:

FaceTime – iOS and Mac OS devices

Pre-installed on iPhones and iPads, FaceTime can connect up to 32 people on iOS and Mac OS devices at one time. That way, if you want to chat with a few family members at once, you can have plenty of people join in. Note that only iOS and Mac OS devices can use FaceTime, so the person you want to chat with will need FaceTime on a iOS or Mac OS device as well. Connections are quite simple. In fact, as simple as making a phone call. You can start a FaceTime call with a tap of family members in your contact list. Your device does the rest.

Google Duo – Android devices and multiple platforms

Google Duo is a voice chat app much akin to FaceTime that’s found on plenty of Android phones and tablets. However, it differs from FaceTime because it’s available for multiple platforms. For example, there’s a Google Duo app for iPhones, so if your grandkids have iPhones, they can install the Google Duo on their iPhones and have a chat with you on your Android phone.

Also, you can use Google Duo on a web browser without an app by clicking here. That’s a great option if you have a camera-ready laptop or computer—which we’ll talk about more next.) Google Duo also features “Family Mode” where you can put on masks and make doodles on the screen if you’re signed in with a Google account.

Free video chat from your computer

If you don’t have a smartphone or tablet, there are still plenty of options that are free and relatively easy as well.

For starters, you’ll need a laptop or computer with a microphone and camera, which is more or less standard in laptops today. If your laptop or computer doesn’t have that combo already, not to worry. There are plenty of moderately priced web cameras that include a microphone. I suggest getting one with a physical lens cap. That way it always protects your privacy. Likewise, you can always disconnect yours when it’s not in use.

With that, here are a few options for video chatting on your computer:

Zoom

Originally aimed at a business audience, families and schools quickly latched on to Zoom for its ease of use at the start of the pandemic. Zoom offers unlimited time and unlimited calls for one-to-one meetings yet has a 40-minute limit once there are more than two devices connected. While there’s an app available, I recommend that you set up a free account and run it through a browser window. That way, you don’t have to deal with an install and you’ll always have the latest security protocols in play.

Skype

Skype from Microsoft has been around for a long time, getting its start back in the early 2000’s as a voice and text chatting app. Today, it comes standard on Windows PCs and supports apps for all kinds of tablets and smartphones too. Up to 50 people can join, which is of course plenty. If you want to create a video chat without an account, you can simply visit this page and start an instant video chat with a click. That’ll give you a link that you can copy and share with your family. And when they click on that link, you’ll all be connected.

Google Meet

Free to anyone with a free Google Gmail account, you can use Google Meet just by clicking its icon from your Google apps menu or by visiting https://meet.google.com/. Originally designed for businesses, governments, and schools, this premium product is now available to all. Some nice features include the ability to schedule a meeting with your family using Google Calendar and additional security features that help make sure your call is private. Like Zoom and Skype, it can run in the window of your browser, so there’s no app to download and install.

Setting up your computer for a video call

As I mentioned above, there’s practically setup when it comes to running a video call on your smartphone or tablet, as they’re already configured for video. Computers, however, may take a little more effort.

The first thing is to make sure that your microphone, speakers, and camera are all set up and ready to go. If you have a Windows computer, you can check out this quick article to get your audio set up and this article for setting up your camera. For Macs, check out this article for audio and this article for video.

From there, you can log into your video chat app or service of choice and give your audio and video a test just to make sure everything is a go. You can do this before you make a call by starting the app as you normally would and then clicking on the menu item for “Settings.” Each app handles it a little differently, yet the interface should show you if it detects your camera, microphone, and speakers. Once you’re set up, you likely won’t have to go back in and do it again.

Lights, camera, chat!

Now, it’s time to think like a movie director. As you might think, the camera angle and lighting in your room make all the difference on a video chat.

In a way, the camera is the way you’ll make eye contact with your family. Set the camera or hold your device so that it’s at eye level with you. That way, it’ll appear like you’re making eye contact with them. Few things feel stranger on a video chat than a camera angle that appears to have you looking down at them (and with them looking up your nose in return).

As for lighting, avoid sitting with a light source behind you. The camera will adjust itself to the light source instead of you, putting your face in the dark. Instead, look to have a light source that’s in front and a bit off to the side from you. That’ll light your face without washing out your face in harsh light. Likewise, if you’re sitting in front of a computer monitor while you’re chatting, see if you can lower the brightness on the monitor. That’ll keep your video looking great as well.

Keeping safe on your calls

Once you’re all set up, here are a few things that will help keep your calls private and secure.

Set a password

If you’re initiating the chat, be sure to create a password that that uninvited parties can’t join the call. Also, don’t be shy about asking your family members to use a password on the calls they initiate. It’s pretty much a standard practice nowadays.

Double-check any video chat invitation links

Many services, like Zoom, allow people to join a video chat by clicking a link. As with any link that’s sent to you, be sure that it’s legitimate. Confirm the link with the family member who sent it, particularly if you weren’t expecting one.

Use security software

Likewise, make sure that you’re using comprehensive security software that protects you from scam emails and links, plus block links that could send you to sketchy websites. That way, if you do get sent a bogus invite link from a scammer, you’ll be protected.

Join using your browser when you can

When you click a link to join a video call from your computer, it will open a new browser tab that will prompt you to join the call. Often, there will be an option to “join using the app,” which your browser will automatically download if you click that option. However, the easiest way to join is by clicking the option to “join using my browser.” In addition to being a no-fuss option, it also means one less app on your device to keep current.

Keep your apps up to date

Aside from giving you the latest features and functionality, updates also often include essential security improvements. Set your computer to update itself automatically and consider using security software that will scan for vulnerabilities and install updates automatically as needed.

Chat it up!

With the holidays upon us and the and New Year on the horizon, now’s a great time to give video chatting a try. As with any new app you try, do a little research of your own before you download it. Check out the news reviews to see if it’s right for you or if there have been any security concerns.

I hope this overview gives you a great start and that it becomes just one more of the many ways you keep in touch, whether during the holidays or year ’round.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

The post Zooming with the Grandkids: Five Easy Video Chat Apps for the Holidays appeared first on McAfee Blogs.

Seven Debunked Myths of Cybersecurity

Article by Kristin Herman, a writer and editor at Ukwritings.com and Academized.com

The term 'cybersecurity' has been tossed around lately. But although cybersecurity has been viewed as a saving grace for mobile devices, computers, etc. the topic is still cloaked in misconception. Things that might pop up, when it comes to cybersecurity, are:
  • The idea of security
  • Password strength
  • Who cybersecurity threats target and affect
  • If insurance will cover damages
  • How effective an IT team actually is
  • Cybersecurity “costs”
  • What devices are most vulnerable to malware?
However, as one side says one thing, while the other side contests it, it’s easy to get caught up in believing the wrong things. In fact, a lot of people get it all wrong. So, to understand the truth about cybersecurity, then check out this quick guide, which will cover seven of the most debunked myths about the subject matter:

1. “Physical Security and Cybersecurity are Two Different Things”
“The truth is, physical security is not separate from cybersecurity,” says Angela Macquarie, a business writer at Academized and Oxessays. “Both can help safeguard machines and paper documents. And, while both can function online and offline, the things they protect will hold sensitive data, which can be at risk of being exposed if the owner or holder is not careful.”

2. “Having a Good Password Protects You”
When it comes to passwords, you can leave anything to chance. And even as weak passwords are still commonplace, it’s hard to imagine many people using passwords like “123456” or “qwerty,” especially after being warned not to do so. Therefore, it’s imperative to complicate your passwords – make it difficult for other people to figure out. And, always update your passwords, so that you can be one step ahead of cybercriminals every time.

3. “Cybercriminals only Attack Large Businesses”
Wrong. Cybercriminals will go after any type of business – big or small. Since cyber thieves don’t discriminate, it’s important to keep your devices and data safe with an effective cybersecurity framework, regardless of the size of a business.

4. “Insurance will cover Cybersecurity Breaches”
Wrong again. In actuality, most insurance policies won’t cover businesses in the event of a data breach. While some policies might cover financial losses that have transpired from it, most policies won’t.

So, when shopping around for business-related insurance, make sure that policies will be able to compensate you whenever the dreaded breach springs up at any time. Or, you can buy insurance and cybersecurity separately. Purchasing cyber and data insurance will be worth the investment if you’re looking to protect customer and or sensitive data from infiltration.

5. “The IT Team has you Covered”
Think that IT teams can save your business, whenever data breaches happen? Think again!

While IT staff will most likely know about potential vulnerabilities and hacker techniques, they still can’t control all the elements involved. Your IT staff, instead, will only act as a human firewall to prevent breaches that stem from human error. Therefore, make it your job to add more layers of protection, besides your IT team.

6. “Cybersecurity is Costly”
“When people think about cybersecurity, they assume that investing in it will cost hundreds, or thousands, of dollars,” says Sheila Flynn, a marketing blogger at Boom Essays and Paper Fellows. “However, having a strong human firewall to defend you against cybercrime is entirely free – apart from creating an IT security policy and training staff. Investment can go a long way, as cybersecurity will greatly benefit your business.”

As such, consider consulting a cybersecurity expert, or look into comprehensive training and advice from cybersecurity experts, to help you put together an effective system that will protect all of your devices and data.

7. “Viruses only affect Desktops”
As technology continues to evolve – especially with more advanced smartphones and tablets working in almost the same capacity as computers – viruses aren’t just a computer thing. In fact, smartphones, tablets, and other mobile devices can fall victim to malware, if the user doesn’t have enough protection for them. And although it only took Internet access for malware to get to computers, other devices that connect to the Internet are still just as vulnerable to viruses.

Conclusion
As you read through these seven debunked myths, we hope that you have a better understanding of cybersecurity. The ultimate goal of this guide is to keep you – the device user – informed. By learning how cybercriminals work, and learning the truth about today’s debunked myths, you’ll learn from the mistakes that you might be making now with your devices, and fix them right away.

About the Author: Kristin Herman is a writer and editor at Ukwritings.com and Stateofwriting.com. She is also a contributing writer for online publications, such as Essayroo.com. As a marketing writer, she blogs about the latest trends in online advertising and social media influencing.

IoT Unravelled Part 1: It’s a Mess… But Then There’s Home Assistant

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

With the benefit of hindsight, this was a naïve question:

In my mind, the answer would be simple: "Just buy X, plug it in and you're good to go". Instead, I found myself heading down the rabbit hole into a world of soldering, custom firmware and community-driven home automation kits. Finally, a full 123 days later, I managed to open my garage door with an app:

What follows is my journey down that very deep, very dark rabbit hole from which I thought I'd never emerge. Every time I thought I had an answer, it raised 2 more questions. I had to buy new gear, learn new acronyms and work with things I'd never heard of before. I waded through endless online discussions with strong opinions expressed in frequently conflicting directions about things I thought would be simple. Never before have I headed down a technology path that, frankly, is such a fragmented mess.

I added to this blog post as I progressed with a view to ultimately having a "happy path" for others to follow in the future. Instead of a single post, I ended up with a 5-part epic which I'll post piece by piece over the course of this week with the hope that others can follow along and eventually, with enough time and patience, be able to open their garage doors too.

Everybody Wants to be "The IoT Solution"

This is where the whole mess starts: what is the hub of your IoT world? In my original tweet above, I thought it would be Apple's HomeKit which seemed like a reasonable assumption given my family's dependencies on iPhones, iPads, Apple Watches and with an Apple TV in the house. Those in an Android world might reasonably assume that Google Home would be their hub. Others might assume it'd be something Alexa related. But no, every one of those answers is wrong because every single one is a proprietary ecosystem with fragmented support by different devices and a kludge of vendor lock-in. Take this as an example:

Now firstly, the Nerf gun wall is freakin' epic! But secondly, that Arlec LED strip Ari is attaching to the back of the wall runs on the Grid Connect ecosystem which includes support for:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Google and Amazon. That is all. No HomeKit. In fact, HomeKit was often the odd one out when I looked at IoT products and I can imagine someone explaining it away as Apple demanding things be done the Apple way or the highway hence the lack of compatible devices. And this wasn't a typo on the Grid Connect website:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

It's not just the big players either; you'll find all sorts of lesser-known brands wanting to be the hub of your IoT world. During this whole exercise, I decided I needed to replace the receiver in my home entertainment setup as it wasn't powerful enough to drive the speakers I have. So, I'm in at the home theatre shop and I see this beautifully made universal remote control:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

This lovely, brushed aluminium unit is made by Control4 and guess what? They can be the hub of your smart home! Oh - but it's not self-configurable and you need a licensed installer to set it all up for you 🤦‍♂️

Which brings us to Home Assistant or for the sake of brevity, HA.

Home Assistant

This feels like a fair place to start:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

But it's also slightly disingenuous because whilst on the surface it may look like yet another solution to the same problem, it's philosophically different in several key ways:

Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.

The Apple / Google / Amazon solutions are all proprietary and tied very closely to the respective tech behemoths' commercial offerings. They want people on their platforms, using their clouds and buying their products. HA, on the other hand, doesn't care who made what or which devices you have or whose clouds you're on, it just wants to tie it all together in a meaningful way. It's an extremely active open source project typically (but not exclusively) run on a Raspberry Pi with a goal of integrating all of your things and keeping them self-contained within your own home rather than being dependent on public cloud services. It has amazing community support and a very devoted fan base which has helped catapult it into one of the top open source projects on GitHub. However...

The learning curve is steep, it has a bunch of rough edges (it's still not reached a v1 as of the time of writing), you end up living in YAML and by any reasonable measure, it's only usable by geeks who are happy living in a world unfamiliar to most mere mortals. Fortunately, that includes me and despite the "maker" nature of the whole thing, I'm massively impressed with HA and nothing else I've seen along my IoT journey comes even close to comparing. If you're going to do IoT in any meaningful way, you start with HA.

The thing is though, you need to be ready to get your hands really dirty:

I captured this tweet and dropped it into the draft blog post as I was lamenting just how damn hard it was to make simple things work the way I wanted them to. But I don't want to get anywhere near that level of detail in this blog series as it'll just scare people off, let me instead focus on the basics and provide enough background to get people heading in the right direction, starting with the fundamental principles of what makes HA great.

Integrations, Devices, Entities, Automations and Scenes

When I'm explaining this to people, I put it like this:

HA integrates with other devices and services which it can both use as triggers and perform actions on.

For example, just to jump straight to the conclusion for a moment, I now have a bunch of little motion sensors around the house that can turn lights on:

This is achieved firstly, by using an integration that can communicate with the sensors and in this case, it's deCONZ which is a product under the Phoscon brand made by Dresden Elektronik (hence the "de" in deCONZ):

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

I've left other integrations in the screen cap above to give you a sense of some of the other things HA can communicate with: Alexa, WeMo switches, Elgato key lights and many other connected devices in my house. At the time of writing, there are 1,713 different integrations including... a Have I Been Pwned Integration!

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

The deCONZ integration enables communication with Zigbee devices (more on that in part 2) and per the screen cap above, I presently have 35 of those in my house. One of them is the first motion sensor in the earlier tweet which, in HA, looks like this:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

The motion sensor is a device I placed at the bottom of the stairs in my house which spans 3 floors. I have another motion sensor halfway along near the kids' room and another again at the top near our master bedroom. These motion sensor devices each have 3 different entities:

  1. The amount of light they can currently see
  2. A battery level
  3. Whether or not there's currently motion detected

This nomenclature threw me a bit at first but it makes sense: one physical device you can hold in your hand may measure many different things and each one of those things is considered to be an entity (entities aren't just about measurement but let's use that as a simplistic example for the moment). I have little temperature sensors in each room and each one of those devices can measure humidity, pressure, temperature and has a battery state:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Yet another device I now have all over the house is an IoT relay called a Shelly, two of which you can see in the tweet below (they're the little blue units amongst all the wires):

Yes, this is pretty normal Aussie wall socket wiring. No, we don't use gang boxes. Yes, I'm conscious you do things differently in other parts of the world. Moving on, each Shelly has a single entity which is simply a power switch:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

So, now we have all the mechanics required to tie together automations and as you can see in the screen cap above (and in the earlier one that shows the stairs motion sensor), I have 2 automations using these devices. I'm not going to go anywhere near the YAML involved in this blog series, let's instead focus on the logic:

  1. If motion is detected at the bottom, middle or top of the stairs and the light level down the bottom is beneath 200 lumens, turn the Shelly on the light switch on
  2. If all 3 motion sensors haven't detected any motion for the last 5 minutes, turn the Shelly on the light switch off

And that's it 🙂

But that automation just turns on a single light, what if I wanted to turn on more lights? Or play music? Or set other device statuses, all at the same time? This is where we get to "scenes" which allow you to define multiple pre-set states that can all be switched on in one go. For example, Ari wanted a fast way to get all his lights back to the same state he referred to as "cool", so we made a scene that turned on a bunch of lights and set the nerf gun wall to red:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

That scene can be trigged by various events, including automations. We'll come back and look at that again shortly but for now, let's talk about how all those lights work in the first place.

Interfacing with Devices: Different Brands, Same Stuff

Ever get an odd sense of déjà vu when you see a product under a certain brand and you could swear you'd seen it somewhere before, but just different? I had that recently when I drove a friend's Tesla Model X and the indicator stalk felt just like the one in my Mercedes. Turns out that because it is just like the one in my Mercedes with the US brand using a bunch of parts from the Germans.

And so it is with IoT bits too:

Earlier on I mentioned I'd bought the Grid Connect lights (which are manufactured by Arlec) to put behind Ari's Nerf Gun wall. They were cheap (at least compared to something like Philips Hue), RGB (not just different shades of white) and could talk over Wi-Fi (not just controllable via a remote). The Grid Connect app worked fine but as I also mentioned earlier, there's no way it'd work with Apple's HomeKit and based on feedback to the tweet above, nor were there any integrations with HA. But there was another option:

Ok, that's actually several different options but let's just focus on Tuya first because that's the easiest path. Tuya is "the World's Leading IoT platform" (yay, another platform 🤦‍♂️) and per the above tweet, they ship products that run a ESP8266 chip which is a pretty common piece of kit. Consequently, I could pair that Grid Connect light strip with the Tuya app which... then says Arlec!

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Later on, I bought a heap of RGB downlights from Oz Smart Things:

Turns out these are also Tuya compatible so now, without directly buying a single Tuya product, I have a lot of products running in the Tuya app:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

What that means is that it's dead easy to control things such as the colour and the brightness:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Now, let's bring it back to HA for a moment and the value proposition here is that per Chris' earlier tweet, there's an integration that can bring these devices right into the same environment all my other IoT things are now in:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Ok, so far so good, now let's get to the twists in all this starting with how the same device looks in HA:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

That looks fine now, but when I first added the downlights, I had no colour control. Power and brightness, yes, but no colour. It took some researching to realise that Tuya had killed colour control for a whole bunch of other people too and that the answer was to edit the customize.yaml file and for each Tuya entity, change the supported features to indicate colour control. I'm not even going to get into the mechanics of that here because that's not really the point of this series, rather I want to highlight how I kept running into "compatible but not completely compatible" scenarios like this.

So, now should I change the colour via the Tuya app or the HA website or app? In one way, it doesn't matter because the state is reflected the same in both (i.e. make it red in HA and the Tuya app shows it as red). In another way, I'm now in this vicious cycle of having more and more apps for specific IoT devices that whilst integrated with HA, still require the OEM app to do a heap of stuff. For example, the Nanoleaf app has a very specific set of controls:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

These allow predefined scenes to be played on the light panels (something that can also be triggered by HA), but also very specific configuration such as what colour to make individual panels. AFAIK, that capability isn't built into the HA integration and even if it was, it's unlikely the experience in setting it up would rival that of the dedicated app.

The bottom line is that you inevitably end up with multiple different interfaces into the same device be they native interfaces provided by the device manufacturer or those exposed via the HA integration. But it doesn't end there either, because you still need to get those devices back into the other IoT hubs. Here's why:

Integration with Other IoT Hubs

Earlier on, I lamented that everyone wants to be the hub of your IoT world and that fortunately, HA can play that role in the place of one of the large incumbent tech companies. Mostly. The gap comes when you start using products from one of those companies that expect to communicate with IoT devices via their own proprietary product. For example, both my kids have an Amazon Echo Dot in their room. I put these in there in part because they're fun learning devices they can easily ask questions of (they can also ask "Alexa, who's Troy Hunt" and get an answer or, as I learned last night with my daughter, they can ask "Alexa, is Troy Hunt handsome" and get a resounding "He is handsome" 🤣), and in part to control their IoT-enabled devices. The latter can be done without even needing HA as Tuya natively integrates with Alexa and exposes all the devices:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

But there are other things in HA which we might still want to access via Alexa, for example the "cool" scene I set up for Ari earlier on. To do that we need to surface data from HA into Alexa which can be done with the Amazon Alexa integration. Once configured, the scene appears and he can talk to the Echo Dot and ask Alexa to "turn on cool in Ari's room":

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Just as there are reasons to surface HA into Alexa, there are also reasons to surface HA into Apple's HomeKit, a feat that can be achieved with the HomeKit Bridge integration. (Note: there is also Homebridge which is a different beast altogether.) We can now surface all the same devices into Apple's ecosystem:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

Remember, that Nerf gun wall is running the Arlec LED strips that use Grid Connect surfaced through the Tuya app which all has no support for HomeKit yet here we are with control in HomeKit 😎

That extends all the way to Apple Watches too:

IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant

One of the primary reasons for doing this is that once you're in the Apple ecosystem you have Siri so now I can just raise my wrist and say "Hey Siri, open the garage door". Or if I'm in my car with Apple CarPlay I can issue the same command without even taking my hands off the wheel.

This does, however, create other problems especially when it comes to troubleshooting. Take a look at the hero image at the top of this blog post. Nice Nerf gun wall representing Ari's room as HomeKit sees it on my iPad, except... his desk power is showing "No Response". Huh, wonder if he accidentally unplugged it this morning? So I go into his room and no, he hasn't unplugged it because his neon-backlit keyboard is glowing and it's plugged into the USB hub connected to the TP-Link HS100 smart plug that's presently unresponsive. It's surfaced in HomeKit via the HomeKit Bridge integration in HA so I go into that device and the entity is disabled. If HA can't see it then HomeKit won't be able to see it. Ok, let's go further up the stack and now I'm in the native iOS Kasa app where the plug is both present and responsive to power on / power off commands which means it's on the network just fine. I stopped there because frankly, I got a bit pissed with the whole thing and just want to finish this blog post right now, but I've included this here to demonstrate just how many moving parts are required to make all this work. Just one of those moving parts stops and not only does it kill a part of your internet of things, but there's a good chance you'll be in for a lengthy troubleshooting session.

This all took me a while to wrap my head around, namely the fact that you can't escape the necessity to have multiple "hubs of all your things" and that they can all work together harmoniously... most of the time. It's not difficult, but it is fiddly especially when you end up with the same devices in HA as Alexa can natively talk to then you see dupes or you get to HomeKit and there's a zillion devices in there when you really only want a couple of lights. There are solutions to these problems, however, it just requires a little patience and a lot of tweaking.

Summary

I want to wrap up part 1 here because it's a nice  finish before peeling back more layers of complexity. Get yourself a Raspberry Pi, install HA and add integrations for your existing devices, surface through your platforms of choice and you're off and running. But that's only the first step, in part 2 I want to start delving into the implications of all those IP addresses, the role of Zigbee, custom firmware and soldering and ultimately, finding my own happy path to how complex I wanted to make the whole thing.

Lastly, I'm going to devote my regular weekly update live stream to this blog series and do it in conjunction with my good mate Scott Helme whose been going through his own IoT journey. It'll be broadcast at 17:00 Gold Coast time for me this Friday which is 08:00 the same day in London and 23:00 Thursday evening on the US west coast. If you can't make the live stream, it'll still be available here afterwards: