Well, this sure is something to wake up to: a massive worldwide outage of computer systems due to a problem with CrowdStrike software. Payment systems, airlines, hospitals, governments, TV stations – pretty much anything or anyone using computers could be dealing with bluescreens, bootloops, and similar issues today. Open-heart surgeries had to be stopped mid-surgery, planes can’t take off, people can’t board trains, shoppers can’t pay for their groceries, and much, much more, all over the world. The problem is caused by CrowdStrike, a sort-of enterprise AV/monitoring software that uses a Windows NT kernel driver to monitor everything people do on corporate machines and logs it for… Security purposes, I guess? I’ve never worked in a corporate setting so I have no experience with software like this. From what I hear, software like this is deeply loathed by workers the world over, as it gets in the way and slows systems down. And, as can happen with a kernel driver, a bug can cause massive worldwide outages which is costing people billions in damages and may even have killed people. There is a workaround, posted by CrowdStrike: This is a solution for individually fixing affected machines, but I’ve seen responses like “great, how do I apply this to 70k endpoints?”, indicating that this may not be a practical solution for many affected customers. Then there’s the issue that this may require a BitLocker password, which not everyone has on hand either. To add insult to injury, CrowdStrike’s advisory about the issue is locked behind a login wall. A shitshow all around. Do note that while the focus is on Windows, Linux machines can run CrowdStrike software too, and I’ve heard from Linux kernel engineers who happen to also administer large numbers of Linux servers that they’re seeing a huge spike in Linux kernel panics… Caused by CrowdStrike, which is installed on a lot more Linux servers than you might think. So while Windows is currently the focus of the story, the problems are far more widespread than just Windows. I’m sure we’re going to see some major consequences here, and my – misplaced, I’m sure – hope is that this will make people think twice about one, using these invasive anti-worker monitoring tools, and two, employing kernel drivers for this nonsense.
Thousands of users across the internet are reporting severe issues with their Samsung Blu-ray players, home theater, and home cinema systems. A more realistic explanation is that the issues are being caused by an expired SSL certificate that the Samsung Blu-ray players were using to connect to Samsung servers via HTTPS. I kept thinking about smart locks stuck in reboot loops.
Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution "that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says these mitigations are also applicable to variant 4 and available for consumers to use today."
However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts.
This cat ain't going back in no bag anytime soon.
It also contained a piece of malware, so not much different from western anti-virus.
Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can't tell you who he is because he doesn't want to go to Federal prison, which is what could have happened if he'd told anyone that could do anything about the bug he'd found. Did that bug get fixed? Probably eventually, but not by my friend. This story isn't extraordinary at all. Spend much time in the hacker and security scene, you'll hear stories like this and worse.
It's hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.
Computers, and computing, are broken.
It's from 2014, but drop everything you're doing right now and read this. Go on. Don't put it off. Read it.
For the past few weeks, Forbes.com has been forcing visitors to disable ad blockers if they want to read its content. Visitors to the site with Adblock or uBlock enabled are told they must disable it if they wish to see any Forbes content. Thanks to Forbes' interstitial ad and quote of the day, Google caching doesn't capture data properly, either.
What sets Forbes apart, in this case, is that it didn't just force visitors to disable ad blocking - it actively served them malware as soon as they did. Details were captured by security researcher Brian Baskin, who screenshotted the process.
There are no words for this level of stupidity.
A few days ago, Apple released
documentation on how any user can download and use the latest iOS beta. Apple doesn't usually run public betas, so it puts users in an interesting position. Should you do it? The Independent
reviews the pros and cons.
Cryptoparty is a global initiative to introduce privacy concepts and free tools to the public. Recently they developed their free handbook, a 390-page pdf that covers all aspects of privacy for web browsing, email, passwords, and encryption for files, disks, IM, and phone calls. Download it free
here.
If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic
article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up
article for useful reader feedback. Stay safe!
You might assume your new PC is secure, but is it? In the U.S., the Federal Trade Commission just
charged seven rent-to-own computer companies and a software design firm with computer spying. Some 420,000 rent-to-own computers allegedly secretly collected personal information, took pictures of users in their homes, and tracked their locations. Meanwhile
Microsoft found that PCs from China had malware embedded before reaching consumers. The
virus "could allow a hacker to switch on a microphone or Webcam, record keystrokes and access users' login credentials and online bank accounts." And, an FBI
investigation found that counterfeit routers purchased by various US government agencies also were pre-loaded with malicious software. Do you assume your new PC is secure, or if not, what steps do you take to secure it?
Columbia University researchers
claim millions of HP printers could be open to remote attack via unsecured Remote Firmware Updates. Cybercriminals could steal personal information or attack otherwise secure networks. HP agrees there is a theoretical security problem but says no customer has ever reported unauthorized printer access. The company
denies some of the claims and is still investigating others.
AT&T
has told the U.S. Congress that its customers agreed to host Carrier IQ tracking software on their cellphones in their contracts. You might recall that, after the scandal over warrentless surveillance broke in 2006, AT&T
quietly changed their contract for internet service to say that it -- not its customers -- owns all the customers' internet records. Those concerned about privacy might consider whether AT&T merits their trust.
In a recent site update, CNET Download.com listings have begun redirecting product download links for popular freeware and opensource applications to their own "downloader and installer" utility which bundles a number of adware components alongside the requested application and changes the users' homepage and default search engine to Microsoft Bing. Freeware authors
are sending CNet cease and desist orders demanding virgin download links, something
affected open source developers may or may not be able to do due to FOSS license terms.
"What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011." A
study by The Global Threat Center over at Juniper Networks details mobile attacks that are increasing both in numbers and sophistication. This contrasts to the iPhone, more
secure in part due to Apple's proprietary hold over the platform through its review process.
"To mark the first anniversary of Microsoft Security Essentials, the company has released some
sobering statistics it has gathered during the past year via the free anti-malware software. According to Microsoft, Security Essentials has been installed on 31 million computers worldwide. Out of that group, 27 million users reported malware infections during the year."
Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was
infected with malware.
Traditional AV vendors continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving threats on the Internet, according to a report by Cyveillance. Testing shows that even the most popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days.
Even after 30 days, many AV vendors cannot detect known attacks.
Several talks at the Black Hat security conference this week in Las Vegas will focus on tools that could
make software safer by automatically searching for bugs--and pinpointing the ones that could be most dangerous.
Microsoft is
patching the Windows Help Center vulnerability that we
reported on a few weeks ago.
AVG has launched
free security software for Mac OS X, which includes tools for Safari and Firefox. AVG's CEO JR Smith, says, "Mac users have traditionally been less vulnerable to attacks because of their lower market share, but that is quickly changing." That's the age-old question of to what extent the scourge of malware on Windows is a symptom of Microsoft's sloppy security decisions vs. due to Windows' popularity and the fact that malware authors can get "more bang for their buck" targeting the most popular platform.