Posts Tagged

safety

Razer Mouse Driver Causes Breach

Elizabeth Technology January 19, 2022

Peripherals

Peripherals. Your keyboard, mouse, drawing pad, Apple Pen, game controller, and more are considered peripherals. Peripherals, by their nature, don’t have much computer power inside them – generally, they have just enough to do their job and not more. In terms of hacking, they aren’t quite as vulnerable as IoT items because they’ve been in the computer world for much longer.

That doesn’t mean that it’s impossible, it just means that other targets are often easier – and other methods, such as hiding a hacking device in a corded mouse’s plug in a la the Juice Jacker are easier than trying to get in on a device’s protected Bluetooth connection.

However, some peripheral devices require things like drivers. Drivers are programs that give the computer instructions for how the device is supposed to work. A computer won’t know how a specific drawing tablet works until that drawing tablet is hooked up and the drivers downloaded, and a Dell won’t understand the Apple Pen without it’s related software. However, most mice and most keyboards don’t take any drivers because they’re so common that computer manufacturers assume they’re a given, and so the instructions for how the computer is meant to interpret the commands are already programmed in. It’s why you can just plug and go for most Bluetooth mice.

In this case, Razer’s mouse was so complicated that it took a driver to use to its fullest extent. It could change the color of its internal LEDs, and the computer didn’t have the built-in instructions to understand those commands. Downloading that driver is what presents the vulnerability!

The Flaw

Razer’s mouse doesn’t magically make the user an admin just by plugging it in – the end user still has to know what they’re looking at. The way Razer peripherals work, plugging one in downloads the drivers that specific device needs. To do so, it opens up a Wizard, and if you catch it when it asks you where you want to save the file, you can (or could) left-click and open PowerShell. Now you have access to PowerShell, one of Microsoft’s automation and task frameworks, without needing to get the administrator’s permission first. And PowerShell has admin privileges by its nature! Now that it’s been opened up, even previously limited or restricted profiles can access and change settings within the computer as though it were an admin, something it couldn’t have done without Razer’s Wizard.

This is a pretty big flaw.

The issue is that the file’s set-up is asking the user where they want to put their file, instead of stuffing it in the drive in its own folder or on the desktop by default, like many programs do. Or, alternatively, the computer shouldn’t have allowed the driver + Wizard download without admin permission in the first place!  

This is a big flaw. However – it also means that any malicious user would still have to get access to the computer, either physically or remotely, so while it’s a vulnerability if the person with the driver is in the physical location of an unlocked, open computer (or manages to scam their way into remote control of one), it’s not necessarily time to toss the Razer mice.

Razer

Razer peripherals are generally marketed towards gamers, but they can be used as regular device peripherals too. They’re sort of expensive to buy as just a mouse, and their especially great precision is designed for games, not Excel sheets, so many people (and many businesses) would prefer to use something lighter and cheaper for their office computers. Why bring an 18-wheeler to something if a simpler pickup truck will do the trick, right? The same goes for their gaming chairs, computers, keyboards, etc. – if something is perfectly designed for gaming, it can also do office stuff, but that would look and feel sort of ridiculous.

Razer’s whole image is the scorpions and snakes, green and black, Matrix, high-tech imagery. They may occasionally sell multipurpose stuff, but their marketing is overwhelmingly towards gamers, promising them the top-of-the-line peripherals with accuracy and speed that plain Dell or third-party peripherals can’t always deliver.  

The company knows this. Razer, understanding that their main function is ease-of-use and not security, may overlook basic security flaws every once and a while, and I don’t really blame them for missing something like this while testing – after all, Windows itself should have protested the download, too, right?

Sources:

https://www.razer.com/?gclid=Cj0KCQjwg7KJBhDyARIsAHrAXaHQ4v_RWuKn-7YKiB_B-QzTgur_Bg_GEZmcuBTCEreQ8P_JlWMp1a4aAoO2EALw_wcB

https://lifehacker.com/you-can-gain-admin-privileges-to-any-windows-machine-by-1847537634

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

Avoiding Doxxing

Elizabeth Cyber Security July 1, 2021

 

On TikTok, posting personal details and Facebook profiles of feuding personalities is becoming normal, frighteningly fast. Doxxing is becoming a real problem. How do you avoid it?

 

Don’t use the same username for every website.

 

When every website you go to uses xXxCatLover93xXx as your handle, eventually, people are going to start searching for that name. Maybe you got into an argument over whether Ragamuffins are better than Ragdoll cats – and now someone is googling your username to see what other wrong opinions you have. If your TikTok account had that username and a real picture of you, then they know what you look like. If you posted that same picture to Facebook once you migrated from MySpace, and they reverse-image search, suddenly they’ve stumbled upon your profile. Use different usernames! Don’t link anonymous and non-anonymous accounts with the same username, that defeats the purpose!  

Additionally, under those usernames, it’s a good idea to regularly purge your post history or delete the account, particularly for sites like Reddit where post history is public. People reveal more than they think they do in comments, especially if they don’t realize something’s a local landmark. Citing a particular statue or feature of a town may be just familiar enough for someone to recognize it. They then know you’re there, and by scrolling down the post history, they may be able to identify you.

Not everyone is malicious, and if people identify that you live in their town, it’s probably not going to lead to someone murdering you (although cases like that exist!). It’s just uncomfortable to spill secrets to strangers who may or may not be able to recognize you IRL. The bigger concern should be people you don’t like identifying you and learning more about you via that profile’s history!

 

Don’t Post Details (or post them ‘wrong’)

 

Birthdate, gender, and zipcode can narrow your exact identity down to one or two people within that zipcode. With your name or initials, bingo! You’re the only one who matches! Now, other people may be able to identify that you only have one dog, one roommate, and no security door via information you’ve posted in the past.

How do you prevent that? Don’t post any of those details. Post them wrong if someone asks – flip numbers around in the zipcode, and birthday. Insinuate you have several dogs. Flip your gender or refuse to disclose it. If someone is asking you for something as specific as your zipcode, you should read that as a red flag! City, state, whatever – that’s one thing. Zipcodes can get really specific, down to two or three neighborhoods. You may have overshared elsewhere, and the other side is one small step from being able to doxx you.

 

Non-Text Related – Don’t post your face or identifying locations

 

When I was growing up, it was suggested that you should never post your face online, as someone could find you off of that alone. In middle school, we were told a horror story of a little girl who went missing, because she was conversing with a ‘friend’ online. That friend was really a pedophile posing as another 10-year-old, and he asked her for a picture of herself, spotted her school’s logo on her backpack in the background of that picture, and then snatched her and murdered her based off of that. Information in the background is just as valuable as a face pic.

That still holds true! You shouldn’t post pictures of the outside of your house, because if Google Street View has seen it, it’s not impossible to reverse-search. If a malicious party knows you live in that state, then they may be able to narrow down your neighborhood just by building style. Your face, your school, your work – any unique building or feature could be used against you.

You also shouldn’t post pics of receipts, as store numbers contain a lot of information. When you do post pictures, black out information like time and place! It’s also a really good idea to check your phone’s settings. EXIF data is data the phone stores about the picture – things like time, date, and device specs are stored in each picture you take. If you don’t have it set to ‘off’, EXIF data also frequently has geotagging information attached to it. Turn that off in settings!

 

TikTok Crisis

 

TikTok is a terrifying place. Users regularly show their entire face, cons that they’ve attended, and personal stories with too much detail to their audience. Distinctive, unique tattoos get shown off to thousands of people, as well as the view from their front yard and what stores they can walk to. Some of the TikToks that came out of the pandemic were about remote learning, with the teacher visible on the screen. This is a problem because many schools post pics of their teachers on their staff page. Bad actors are using this to find the school to show them the TikTok and find the person who posted it.

The worst part? It doesn’t have to happen immediately. Kids posting a video of themselves violating school rules weeks later can still be found via that video further down in the feed. Ticked off a more anonymous user? You’ll never know how the school found out. Videos of dance trends that they wouldn’t want their parents seeing are getting sent to their parents based off of information gathered over weeks or months of posts. All of it’s online. Video is an incredibly information-rich format, and when each video is under a minute long, any one person could look through them all.

It’s no surprise people are getting their own details shoved in their face when they’re posting this much about themselves!

The easy solution? Just don’t. Don’t download the app, and don’t download videos. Of course, this isn’t going to happen, so the second-best option is to always film indoors away from windows, or in generic buildings like Targets or chain grocery stores. Don’t film yourself in a distinctive school uniform or in an identifying area of said school, because sometimes all it takes is specific colors. In Las Vegas, many of the school buildings look the same, but the colors are totally distinct to each school. Blue and orange belong to Bishop Gorman, so if a kid has posted about living in Vegas before, those colors narrow down their location dramatically.

Shia LeBeouf’s flag, and 9Gag’s ‘meme hieroglyph’

 

It’s dangerous to attract too much attention from certain forums. 4Chan in particular is notorious for finding the unfindable, triangulating exact locations based off of things like truck honks and light positioning. See the saga of Shia LeBeouf’s flag project, where the flag was found over and over until he was forced to put it in a featureless white room.

9Gag put a limestone pillar covered in ‘hieroglyphs’ (which were really just old memes carved into the surface) underground for future archeologists to find. 4Chan and other forums found it by cross-referencing information in the background (Spanish writing on a truck) with available limestone mines and open fields in Spanish-speaking countries and found its exact coordinates based off of that little information. They couldn’t do much about it, because it was a 24-ton piece of limestone, but they found it.

 

Crimes

 

If you post things online, someone may be able to find you given time and determination. The best thing you can do to avoid that determination is fade into the background, as hard as you can, and don’t post crimes or social misconducts to TikTok or social media. Even if you’re not planning on committing crimes, you should set accounts to private, don’t overshare, and don’t do things that get you online attention for the wrong reasons. Once again, TikTok is terrifying because small accounts may think they’re only sharing with their friends, only to end up trending unintentionally!

Maskless groups of friends posting videos at the beginning of the pandemic were scolded for being maskless, and because interaction makes videos more likely to appear on the ‘For You’ page, those maskless videos were getting thousands of people’s worth of harassment. Post something dumb? Algorithm catches it juuuust right? Previously anonymous posts then get a glance from hundreds to thousands of people! Suddenly, it matters a lot if you’ve ever posted videos that looked bad with no context.

 

And More Crimes

 

If you’ve seen posts that said “help me find her!” with some sob story about a missed connection, this is one way of finding people who don’t necessarily want to be found. Sure, it might be legit. It might also be a particularly clever stalker using a sad story about ‘I was out of swipes on Tinder!’ to get unsuspecting ‘good Samaritans’ to help him chase some woman’s Facebook profile down. Missed Connections on Craigslist is one thing – that’s pretty anonymous. Posting a missed connection to thousands of people on Reddit or TikTok is an entirely different thing. It’s effectively setting a mob after that person to get them to respond to the poster. The same goes for Missing Persons posts – if the number is anything but a police department’s number, you should be wary of trying to help.

 

Sources: https://www.dhs.gov/sites/default/files/publications/How%20to%20Prevent%20Online%20Harrassment%20From%20Doxxing.pdf

https://dataprivacylab.org/projects/identifiability/paper1.pdf