When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
June 6, 2018
The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.
According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The list of devices vulnerable to VPNFilter has seen a sharp jump from Cisco's original report, going from 16 device models to 71 —and possibly more. The full list is embedded at the bottom of this article.
New VPNFilter plugins
Furthermore, researchers have also discovered new VPNFilter capabilities, packed as third-stage plugins, as part of the malware's tri-stage deployment system.
Cisco experts said they discovered the following two new third-stage plugins.
ssler - plugin for intercepting and modifying web traffic on port 80 via man-in-the-middle attacks. Plugin also supports downgrading HTTPS to HTTP.
dstr - plugin to overwriting device firmware files. Cisco knew VPNFilter could wipe device firmware, but in its recent report pinpointed this function to this specific third-stage plugin.
These two new plugins add to the two already known.
ps - plugin that can sniff network packets and detect certain types of network traffic. Cisco believes this plugin was used to look for Modbus TCP/IP packets, often used by industrial software and SCADA equipment, but in its most recent report claims the plugin will also look for industrial equipment that connects over TP-Link R600 virtual private networks as well.
tor - plugin used by VPNFilter bots to communicate with a command and control server via the Tor network.
Technical details about the VPNFilter malware, in general, are available in Cisco's first report. Details about the ssler, dstr, and ps third-stage plugins are available in a report published today.
. . . [ SNIP ] . . .
If users can't update their router's firmware, can't update to a new router, but would still like to wipe the malware from their devices, instructions on how to safely remove the malware are available in this article. Removing VPNFilter from infected devices is quite a challenge, as this malware is one of two malware strains that can achieve boot persistence on SOHO routers and IoT devices. Furthermore, there are no visible signs that a router has been infected with this malware, so unless you can scan your router's firmware, even knowing you're infected is a challenge. The best advice we can give right now is to make sure you're running a router with up-to-date firmware.
I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?
Security researchers have identified a speculative execution side-channel method called L1 Terminal Fault (L1TF). This method impacts select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX). Further investigation by Intel has identified two related applications of L1TF with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software. If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices.
Intel is committed to product and customer security and to coordinated disclosure. We worked closely with other technology companies, operating system, and hypervisor software vendors, developing an industry-wide approach to mitigate these issues promptly and constructively.
For facts about these new exploits, technical resources, and steps you can take to help protect systems and information please visit: https://www.intel.com/securityfirst.
Theo de Raadt, founder of OpenBSD, which makes a free, multi-platform, UNIX-like operating system, recommended everyone completely disable Intel’s Hyper-Threading in BIOS before hackers start taking advantage of it.
Hyper-Threading Is Unsafe
In a post this week, de Raadt said that the Foreshadow and TLBleed flaws have made it mandatory to disable the Hyper-Threading technology on all Intel-based machines. He claimed mitigating these flaws requires a new CPU microcode and coding workarounds, but these alone are not sufficient to stop attackers; Hyper-Threading also has to be disabled.
OpenBSD version 6.4 and newer will disable Hyper-Threading completely.
I just got a text message from Paypal that said "Paypal: Your security code is: 443162...."
Except I wasn't in front of a computer, I wasn't trying to access my account, I didn't have paypal tab open on another PC. I usually only get that when I sign in to Paypal which i wasn't doing. So was someone signing in to my account!? I use lastpass and my paypal password is 20 characters long, unique, gibberish password. It's not used anywhere else, and you can't brute force it.
I'm just assuming that something glitched with paypal's 2fa server and sent codes to the wrong person, or maybe someone typed my number into their account and now I'm getting their codes, Either way, I changed my Paypal password to a different 20 character unique complex pw. Still weird.
Anyone else with paypal 2fa just get a text from them?
A while ago, a friend posted a white paper about why 2FA via text message is not secure due to the ability to hijack numbers. My 2FA method of choice is Google Authenticator but not all sites support a 3rd party code generator yet.
A while ago, a friend posted a white paper about why 2FA via text message is not secure due to the ability to hijack numbers. My 2FA method of choice is Google Authenticator but not all sites support a 3rd party code generator yet.
Yes they can spoof a cell number, but they have to know WHICH cell number to spoof. The concern is more of a targeted attack (where your cell number and various accounts may already be known) than random mass account hijacks. Unless, of course, the service is warehousing your account credentials AND your 2FA tel number in plain text on the same storage server...
Yes they can spoof a cell number, but they have to know WHICH cell number to spoof. The concern is more of a targeted attack (where your cell number and various accounts may already be known) than random mass account hijacks. Unless, of course, the service is warehousing your account credentials AND your 2FA tel number in plain text on the same storage server...
I'd feel better about this if that weren't exactly what they'd say, and if there weren't activities at Apple in 2015, and at Amazon and Apple in 2017, that might indicate that they knew that something was going on.
That's not a validation of anything, just some weird, circumstantial and coincidental evidence.
Intel CPUs impacted by new PortSmash side-channel vulnerability
Vulnerability confirmed on Skylake and Kaby Lake CPU series. Researchers suspect AMD processors are also impacted.
Researchers say they notified Intel's security team last month, on October 1, but the company has not provided a patch until yesterday, the date on which researchers went public with their findings.
New vulnerability found in Intel CPUs. Not present in AMD or ARM.
All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix
Researchers say Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits. https://www.zdnet.com/article/all-in...t-a-quick-fix/
I'm running Kaspersky Total Security on several computers.
Are there any good alternatives to Kaspersky Total Security which are both active and passive while combining security, anti-malware and anti-virus functions without a connection to the FSB and Internet Research Institute?
Dragonblood vulnerabilities disclosed in WiFi WPA3 standard
April 10, 2019
Two security researchers disclosed details today about a group of vulnerabilities collectively referred to as Dragonblood that impact the WiFi Alliance's recently launched WPA3 Wi-Fi security and authentication standard.
If ever exploited, the vulnerabilities would allow an attacker within the range of a victim's network to recover the Wi-Fi password and infiltrate the target's network.
The Dragonblood vulnerabilities
In total, five vulnerabilities are part of the Dragonblood ensemble --a denial of service attack, two downgrade attacks, and two side-channel information leaks.
While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords.
Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange --the mechanism through which clients authenticate on a WPA3 router or access point.
In a downgrade attack, WiFi WPA3-capable networks can be coerced in using an older and more insecure password exchange systems, which can allow attackers to retrieve the network passwords using older flaws.
In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small ammounts of information about the network password. With repeated attacks, the full password can eventually be recovered.
Downgrade to Dictionary Attack - works on networks where both WPA3 and WPA2 are supported at the same time via WPA3's "transition mode." This attack has been confirmed on a recently released Samsung Galaxy S10 device. Explainer below:
If a client and AP both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2's 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late. The 4-way handshake messages that were exchanged before the downgrade was detected, provide enough information to launch an offline dictionary attack.
Group Downgrade Attack - works when WPA3 is configured to work with multiple groups of cryptographic algorithms, instead of just one. Basic downgrade attack. Explainer below:
For example, say a client supports the elliptic curves P-521 and P-256, and prefers to use them in that order. In that case, even thoug the AP also supports the P-521 curve, an adversary can force the client and AP into using the weaker P-256 curve. This can be accomplished by jamming the messages of the Dragonfly handshake, and forging a message that indicates certain curves are not supported.
Cache-Based Side-Channel Attack (CVE-2019-9494) - exploits the Dragonfly's protocol's "hunting and pecking" algorithm. High-level explainer below.
If an adversary can determine which branch of the if-then-else branch was taken, they can learn whether the password element was found in a specific iteration of this algorithm. In practice we found that, if an adversary can run unprivileged code on the victim machine, we were able to use cache-based attacks to determine which branch was taken in the first iteration of the password generation algorithm. This information can be abused to perform a password partitioning attack (this is similar to an offline dictionary attack).
When the Dragonfly handshake uses certain multiplicative groups, the password encoding algorithm uses a variable number of iteratins to encode the password. The precise number of iterations depends on the password being used, and the MAC address of the AP and client. An adversary can perform a remote timing attack against the password encoding algorithm, to determine how many iterations were needed to encode the password. The recovered information can be abused to perform a password partitioning attack, which is similar to an offline dictionary attack.
More detailed explanations for each of these vulnerabilities are available in an academic paper authored by Mathy Vanhoef and Eyal Ronen, titled "Dragonblood: A Security Analysis of WPA3's SAE Handshake" --or this website dedicated to the Dragonblood vulnerabilities.
Dargonblood also impacts EAP-pwd
Besides WPA3, researchers said the Dragonblood vulnerabilities also impact the EAP-pwd (Extensible Authentication Protocol) that is supported in the previous WPA and WPA2 WiFi authentication standards.
"We [...] discovered serious bugs in most products that implement EAP-pwd," the research duo said. "These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user's password."
The two researchers didn't publish details how the Dragonblood vulnerabilities impact EAP-pwd because the patching process is still in progress. They did, however, publish tools that can be used to discover if WPA3-capable devices are vulnerbale to any of the major Dragonblood flaws.
Fixes for WPA3 are available
On the other hand, the WiFi Alliance announced today a security update for the WPA3 standard following Vanhoef and Ronen's public disclosure of the Dragonblood flaws.
"These issues can all be mitigated through software updates without any impact on devices' ability to work well together," the WiFi Alliance said today in a press release. Vendors of WiFi products will now have to integrate these changes into their products via firmware updates.
Vanhoef is the same security researcher who in the fall of 2017 disclosed the KRACK attack on the WiFi WPA2 standard, which was the main reason the WiFi Alliance developed WPA3 in the first place.
Intel Performance Hit 5x Harder Than AMD After Spectre, Meltdown Patches
May 20, 2019
Ever since Spectre and Meltdown broke in January 2018, we’ve known that the combined impact of patching these security issues would impact raw performance. The question, especially as new disclosures have stacked up, is how large the impacts would be and how would they change the performance comparison between Intel and AMD?
Phoronix has put that question to the test with a substantial suite of benchmarks across multiple Intel platforms, including the 6800K (Broadwell-E), 8700K (Coffee Lake), 7980XE (Skylake-SP), Ryzen 7 2700X, and Threadripper 2990WX. These chips collectively represent all of the recent major architectures in play.
The collective impact of enabling all patches is not a positive for Intel. While the impacts vary tremendously from virtually nothing too significant on an application-by-application level, the collective whack is ~15-16 percent on all Intel CPUs without Hyper-Threading disabled. Disabling increases the overall performance impact to 20 percent (for the 7980XE), 24.8 percent (8700K) and 20.5 percent (6800K).
The AMD CPUs are not tested with HT disabled, because disabling SMT isn’t a required fix for the situation on AMD chips, but the cumulative impact of the decline is much smaller. AMD loses ~3 percent with all fixes enabled.
Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.
this is just going to be an endless game of whack a mole from now on, isn't it
What is interesting is that BitDefender has a VM tool thta they say negates these threats.
It makes me think that the CPUs themselves need to be separated (or integrated) into greater virtualization to prevent these types of attacks. A completely virtual OS of sorts...
Bitdefender has demonstrated how Hypervisor Introspection stops the attack by removing conditions it needs to succeed on unpatched Windows systems. This mitigation has introduced no noticeable performance degradation. While deploying the patch from Microsoft is highly recommended, Hypervisor Introspection provides an effective compensating control until systems can be patched.
My wife had an event invitation appear in her google Calendar with a message saying something like "Accept: Pickup Free Samsung S9" and there was a link in the calendar invite.
She had not received any emails with an invitation, so this came directly through the Google Calendar interface.
This article has the info about it along with the remedy:
TLDR: Open Google Calendar's settings on a desktop browser and go to Event Settings > Automatically Add Invitations, and then select the option "No, only show invitations to which I've responded." Also, under View Options, make sure that "Show declined events" is unchecked, so malicious events don't haunt you even after you decline them.
Microsoft has released out-of-band security updates to address vulnerabilities in Microsoft software. A remote attacker could exploit of these vulnerabilities to take control of an affected system.
Windows ships with a full volume encryption tool called BitLocker. The feature used to trust any SSD that claimed to offer its own hardware-based encryption, but that changed in the KB4516071 update to Windows 10 released on September 24, which now assumes that connected SSDs don't actually encrypt anything.
"SwiftOnSecurity" called attention to this change on September 26. The pseudonymous Twitter user then reminded everyone of a November 2018 report that revealed security flaws, such as the use of master passwords set by manufacturers, of self-encrypting drives. That meant people who purchased SSDs that were supposed to help keep their data secure might as well have purchased a drive that didn't handle its own encryption instead.
Those people were actually worse off than anticipated because Microsoft set up BitLocker to leave these self-encrypting drives to their own devices. This was supposed to help with performance--the drives could use their own hardware to encrypt their contents rather than using the CPU--without compromising the drive's security. Now it seems the company will no longer trust SSD manufacturers to keep their customers safe by themselves.
Kaspersky replacement?
this is just going to be an endless game of whack a mole from now on, isn't it
AZ has 2FA now! 