Slashdot Mirror

--Yep. "Windows security" is kind of like "Military intelligence"... Especially if you're on the front lines. Fully patched Win boxes are still prone to probably hundreds of different exploits, not the least being social hacks and encryption malware.

https://thehackernews.com/2018...

--And don't forget the 0-day hax, 3rd-party software vulns, and shared DLL libraries that have been around since the 90's and never code-audited. Last but not least, they now have to worry about the WSL layer as a possible attack vector.

/ there's a reason I've been a Linux guy for a LONG time now
// and an extra slashy for OSX/iMac being my primary desktop these days

As of 2018, AMD chips are also vulnerable to Spectre1 and Spectre2, only Intel has Meltdown alongside these issues. As for now much more Spectre types have been discovered and this list keeps growing. Many Intel, AMD and ARM chips are vulnerable.

I think you're right. First, looking at the new specs for declarativeNetRequest, I see no indication that the webRequest api is going away. Each API has pros and cons, from what I can see.

I do see changes happening to webRequest. It now requires host permissions. That means the end user can limit where an extension is used - or not limit it. Starting in Chrome 72 it will also be harder to modify referrers or cookies. But nothing webRequest does now is being entirely forbidden (unless the end-user requests it.)

Because I'm a retired IT guy. Also, I'm running Windows XP, but it's patching itself.

Registry Hack: Get Windows XP Security Updates until 2019

It thinks it's an ATM machine or other embedded OS.

ATM security still running Windows XP
Anthony Spadafora
15/11/2018

Some example attacks: https://www.zdnet.com/article/...

https://alter-attack.net/

https://thehackernews.com/2018...

Cite then, chapter and verse, where Huawei has a product that contains code that benefits the Chinese government in a security risk scenario.

Pre-installed Backdoor On 700 Million Android Phones Sending Users' Data To China

"Moreover, it is worth noting that AdUps provides its software to much larger handset manufacturers, such as ZTE and Huawei, which sell their Android phones worldwide, across over 150 countries and regions."

From a different article

Since the research is still ongoing, Talos researchers "do not have definitive proof on how the threat actor is exploiting the affected devices," but they strongly believe that VPNFilter does not exploit any zero-day vulnerability to infect its victims.

Instead, the malware targets devices still exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.

Why would anyone still buy anything from D-Link or e.g. Cisco?

With their stuff, backdoors are not the exception but mandatory feature for every device they sell. 2013, 2016, now.
https://www.theregister.co.uk/... DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240" maybe more.
https://thehackernews.com/2016... DWR-932 B

So, sure once maybe it's an error or oversight. But the number of backdoors with pretty much all router manufacturers, from low end cheapo consumer D-Link to usurious Cisco plated with gold stuff, shows it's not an oversight but pretty much deliberate. Both manufacturers are only examples here. All of them have similar holes several times over the last few years, repeatedly. Or they are too incompetent to be allowed to design and then sell anything to the public.

Yeah, but this has the potential to make casual attacks even easier.

Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?

There are so many ways to compromise locks, this changes nothing. Hotel locks are not electronic for security, they are electronic for ease of management.

Older Android versions may need a rooted phone or other hack to deny access to resources. See for example : https://thehackernews.com/2015...

In the era of flashable everything with zero signature checks, you simply cannot fully trust hardware once it's been compromised. Firmware rootkits have been a thing for a long time, and state sponsored attacks have used these esoteric methods before. Hardware manufactures continue to release vulnerable systems. Everything old is new again.

Chinese companies just put in backdoors for the Chinese government, organised crime, your Chinese competitors and so on.

https://thehackernews.com/2015...

http://www.zdnet.com/article/f...

http://www.securityweek.com/ap...

http://www.businessinsider.com...

https://tvnewswatch.blogspot.c...

That's Spectre, not Meltdown. Meltdown is far more egregious, and carries the huge performance penalty.

If you say so. I'm no expert on this stuff. The writeup on Hacker News certainly makes Spectre appear to be serious and difficult to mitigate:

The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.

Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.

Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” the paper explains.

“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

The paper they reference is an interesting read (particularly section 8, "Conclusions and Future Work"), available as PDF here.

Take a look at this: - Another Shadt App Found Pre-Installed on OnePlus phones https://thehackernews.com/2017... Quote: "A security researcher just found another secret app that records tons of information about your phone"....

If you're worried about offline attacks, you should use bcrypt.

To answer the GP's post: 1) MD5 is vulnerable to certain padding attacks. For instance, Microsoft had a cryptographically signed binary hacked by a dedicated attacker to hijack windows update. Basically, someone created an executable with a virus payload that resolved to the same MD5 signature as the original package. That's BAD. https://www.theregister.co.uk/...

MD5 is vulnerable to what's called a "length extension attack": https://en.wikipedia.org/wiki/...

This means that, in certain cases, you CAN make MD5 secure by doing very special things around how MD5 is used. But you have to know exactly what you're doing and SHA2 is really better anyway. So just use SHA2...

2) SHA1 is has recently had vulnerabilities to the same types of usage. Do not use SHA1 or MD5 for cryptographically signing things. Keep in mind, it's still REALLY difficult to create a SHA1 collision, but engineers at Google did it. https://thehackernews.com/2017...

3) SHA2/3 are still looking secure. It's reasonably expected that if you sign something with SHA2 or SHA3, that someone will not be able to create a different binary/payload as you can with SHA1/MD5.

4) NONE of the above should be used to secure a password/credit card/secure info database. MD5, SHA/1/2/3. For a password database, the worry is someone will hack the DB and extract the information. For this, you should use scrypt or bcrypt (possibly with a salt and/or pepper). This is because the hacker will have the information offline and plenty of time and resources to hack it. In this case, the attacker is trying to brute force the database (by trying every password), with a limited set of (likely) passwords.

For 1-3, you want something that can verify the hash as quickly as possible. For usecase #4, you want an algorithm that takes a long time to verify the hash. This is because a brute force's success rate is dependent on how fast you can try all of the possibilities. If you have 1000 possible passwords and each attempt takes 1ms, then you can try every possible password in 1 second. If each attempt takes 500ms, then this will take 500 seconds.

For this, scrypt/bcrypt has a difficulty algorithm that scales. You basically decide how hard it is to verify a password based on the computational resources at your disposal and how long it should take a user to login. In an application I work on, hash computation actually takes a majority of the login time for the application.

In short:
1) Use Sha2/3 to sign packages, binaries, or transmissions
2) Use scrypt or bcrypt to encrypt data against offline attacks. Pick a difficulty strength as high as you can tolerate.
3) Use MD5 or SHA1 only as a non-cryptographic checksum (did my file get corrupted by a bit flip?--not is someone attacking me)
4) If you use MD5 to sign packages, binaries or transmissions, cracking your encryption will be relatively easy.
5) If you use SHA1 to sign packages, binaries, or transmissions, cracking your encryption will be possible for dedicated hackers.

nope.
It actually required that you were connected to a cracked wifi, and then used the browser to go ANYWHERE. You did not have to hit a certain page. It is NOT a direct browser exploit like we see in MS Exploders. The fact is, that the browser had an opening it should not have.
The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car's web browser is used.
And no, tesla does NOT automatically hook up to service AP. The tech has to hook them up. In addition, in order to hack Tesla's AP, you need PHYSICAL access. It is possible, but not likely, that it will happen.

The other exploit was cracking your phone and then getting you to enter in your information.
Personally, I am more concerned about the later since Tesla regularly requires you to re-enter your password when new software comes along. In doing that, it makes it quite easy to strip it from either android or iphone

nope. sorry.

there are many ways to 'fingerprint' a browser client, especially if you allow scripts to run. 'cookies' are just the easiest way.

https://nakedsecurity.sophos.c...
https://arstechnica.com/inform...

and, if you're on mobile, you're might be fucked regardless. your provider may be inserting unique guid into http requests.

http://thehackernews.com/2014/...

You're being tracked in detail across the Internet. Your personal data is being sold at every turn. I'm not sure what part of what I said is hard to believe _could_ happen. Especially since our electronics are already being infiltrated with spy chips.

For $1500 I can get an awesome MacBook Pro running a *nix.

The last thing I want is some Chinese designed and made computer that has god knows what software or firmware on it and Winblows. Sure I can wipe off whatever software they have, but the firmware?

I'm not playing that game.

We need to remember they are Commie bastards who are World Power wannbees and these companies are STATE controlled. Supreme leaders want software installed to get information, company bosses do what they are told or get executed.

Lower median could also mean that it's so easy that lots of unskilled botnet creators have entered the arena. You'll notice at the same time the largest DDoS attacks continue to grow year over year.

I think that's exactly what it means, but this means that anyone who really is smart is going to have to go after other classes of device when trying to perform a DOS - because all the kiddies are fighting over the stuff that they used to use. They may still be able to do damage, but they'll have to work for it again, instead of just being able to re-use the stuff they had before.

Lower median could also mean that it's so easy that lots of unskilled botnet creators have entered the arena. You'll notice at the same time the largest DDoS attacks continue to grow year over year.

You mean like Heartbleed or Shellshock? Or how about the one that not only affected Linux PCs but also affected every Android device from 4.4 on up thus leaving tens of millions vulnerable on devices that will never be patched? Or how about when the Linux Mint site was serving malware? Like that?

Joke all you want about MSFT but at least their OS gets 10 years of patches, you don't see tens of millions of Windows machines at risk because MSFT won't provide patches. Oh and just FYI since the Linux community was so quick to claim "Android is Linux!" you might want to know that by that metric Linux infections are skyrocketing while windows infections are dropping like a stone making Linux the most malware ridden OS on mobile networks which it has been for 3 years running now...congrats!

As they already did - witness in 2013 the electric kettles with microphones and wifi chips that were attempted to be imported into Russia from China: http://thehackernews.com/2013/...

https://wikileaks.org/ciav7p1/...

Reading list

A list of websites I like to check out to stay up to date and get new ideas:

        General
                http://reddit.com/r/netsec along with all the other good subreddits (RE, forensics)
                http://thehackernews.com/
                http://slashdot.org
        Forensics
                http://swiftforensics.com/

Ha, ha, hello CIA friends, I hope you've enjoyed all my ENTIRELY SATIRICAL posts over the years that may have appeared to the slow of wit to be critical of the government and the Agency, but were in fact entirely in jest. I'm sure you had a good chuckle all the times I COMPLETELY IRONICALLY referred to you as lying liars who lie about your lies to bring us into war under war false pretenses...over and over again.

Anywho, keep up the good work, friends!

Lenovo didn't like that all those third-party shovel-ware apps were getting in the way of their own spyware.

At least my thermostat doesn't stop working randomly and my lights don't turn on and off because someone flew their drone by my house. That, and my things don't participate in DDoS attacks.

Does the NSA count as "hackers"?

They paid RSA $10M for a backdoor: http://thehackernews.com/2013/...

http://thehackernews.com/2016/05/audio-fingerprint.html/ Good luck with those methods...

According to a hackernews article on the exploit, GitHub verifies all repositories that they host, so if you clone from GitHub you shouldn't need to worry about this exploit.

And I have a brand new device that makes it easy for anyone to steal the information off your new invention!

http://thehackernews.com/2016/...

So what's next? Maybe some kind of authentication chip on your plastic card???

First, I've actually used Apple Pay at several locations and it's worked fine with no glitches.

Second, as more and more cards and terminals switch to chip/sign, it's going to take a little longer than 2 seconds to use a card as said card needs to be in the terminal for the length of the transaction.

Third, is your credit card backed up by a thumbprint or any other security mechanism? At all? Point being that losing a card pretty much means anyone who finds it can use it, as opposed to someone finding a locked iPhone and trying to figure out a way to spoof TouchId while standing in front of a cashier at your local grocery store.

Fourth, as I pointed out above, please watch the following video on just how easy it is for someone to install a skimmer and steal your swipe information....

http://thehackernews.com/2016/...

"I will stick with the mag stripe until adoption is much higher. It just works and is very fast, even with the stupid signature."

Ahhh, you might enjoy the following video demonstrating just how fast a crew can install a credit card skimmer on a store terminal.

http://thehackernews.com/2016/...

Good luck with the mag stripe...

I'd say that the NSA using MS error reporting is a pretty good "known security incident" for this type of thing.
http://thehackernews.com/2014/...

> Let's not start spewing FUD like that before we actually know what is stored in the packets sent to Microsoft.

Ok AC, you reign in those accusations. The rest of us will discuss how to disable the keylogger:

http://thehackernews.com/2015/...

And be sure to disable these KBs in Windows 7 and 8:
http://thehackernews.com/2015/...

And be sure to download stuff that stops it, for now, maybe:
https://www.reddit.com/r/Windo...

The EULA states that you agree to have your keystrokes sent and such:
https://privacy.microsoft.com/...

"...we share personal data among Microsoft-controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement..."
"We may also disclose personal data as part of a corporate transaction such as a merger or sale of assets."

"Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails in Outlook.com, or files in private folders on OneDrive), when we have a good faith belief that doing so is necessary to:

Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies...
Protect our customers... ...protect the rights or property of Microsoft..."

So basically, they'll disclose your data for almost any goddamned reason, including making an agreement with a third party to disclose your data to them in exchange for money.

And what data in question?

"Microsoft collects and uses data about your speech, inking (handwriting), and typing on Windows devices to help improve and personalize our ability to correctly recognize your input."

" It also includes associated performance data, such as changes you manually make to text..."

Microsoft also tries to guard you from Malware, a noble purpose... but in doing so it can leak pretty much all of your URLs.

The statement you respond to is not quite correct because the line about the "indexes of your harddrives and other storage devices" appears to be specific to the technical preview. But other than that, yea, it's pretty much spot on.

> Let's not start spewing FUD like that before we actually know what is stored in the packets sent to Microsoft.

Ok AC, you reign in those accusations. The rest of us will discuss how to disable the keylogger:

http://thehackernews.com/2015/...

And be sure to disable these KBs in Windows 7 and 8:
http://thehackernews.com/2015/...

And be sure to download stuff that stops it, for now, maybe:
https://www.reddit.com/r/Windo...

The EULA states that you agree to have your keystrokes sent and such:
https://privacy.microsoft.com/...

"...we share personal data among Microsoft-controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement..."
"We may also disclose personal data as part of a corporate transaction such as a merger or sale of assets."

"Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails in Outlook.com, or files in private folders on OneDrive), when we have a good faith belief that doing so is necessary to:

Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies...
Protect our customers... ...protect the rights or property of Microsoft..."

So basically, they'll disclose your data for almost any goddamned reason, including making an agreement with a third party to disclose your data to them in exchange for money.

And what data in question?

"Microsoft collects and uses data about your speech, inking (handwriting), and typing on Windows devices to help improve and personalize our ability to correctly recognize your input."

" It also includes associated performance data, such as changes you manually make to text..."

Microsoft also tries to guard you from Malware, a noble purpose... but in doing so it can leak pretty much all of your URLs.

The statement you respond to is not quite correct because the line about the "indexes of your harddrives and other storage devices" appears to be specific to the technical preview. But other than that, yea, it's pretty much spot on.

They got around the Tor encryption by getting some JavaScript/Java/PHP code to run on the host PC and extract the IP address that way. Stack Overflow and a hundred other blogs will all explain how to do this within a standard webpage. No illegal downloading of executables, DLL's, shared object files or modification of kernel permissions. Just plain web page design:

http://javascript.about.com/li...

The whole Tor project would be a little bit pointless if deanonymizing the users was a simple matter of "plain web design".

All the server side reliant methods of accessing the user's IP address with JavaScript listed in your link are irrelevant to the discussion here: If the user's IP address is known on the server side and you control the server, why on earth would you bother with client side JavaScript when you could just look at server logs? Of course, in a situation where the user does not connect to the server directly the server side methods only give you the IP address of the last proxy in the proxy chain. Onion sites can only be accessed through Tor, no direct connections are possible.

This leaves the JavaScript and Java method. The problem here is that the Firefox based Tor Browser (used by almost every Tor user) does not, for obvious reasons, include the Java plugin.

So how did the FBI do it then? I'm not aware of the specifics of this case but in the past they have used zero day vulnerabilities in Firefox JavaScript handling to run malicious "phone home" shell code on the client machines. Most anonymous web surfing guides since the 90's have advised strong anonymity seeking users to always keep their JavaScript disabled, though as the advisory for the 2013 exploit notes, many big attack vectors besides JavaScript remain, such as css, svg, xml, the renderer etc...

KeePass had similar news just a couple of months ago. I think I read about it here, even.
http://thehackernews.com/2015/...

You're a liar, and likely a shill.

http://thehackernews.com/2014/...

http://www.geek.com/microsoft/...

Windows 10 DOES have a keylogger.

Oh wait, they are not doing anything to expose actual terrorists...

Oh really? The only people that seems to have scared them off are the drug cartels.

I think hackers are going to be more interested in using IoT to hack a WiFi Password via a smart kettle

If morons don't do it, Chinese manufacturers will do the IOT for you

http://thehackernews.com/2013/...

You see a very bleak future, my friend.

What you call bleak, I call exciting. :) Different strokes I suppose...

The future I envision is having Tony Stark's Jarvis personal assistant program open-sourced and running on my personal home Linux cluster behind a firewall with all of my devices connected locally or remotely through that interface... most likely all Linux devices. The computing power is mine, the data is mine, the agent that collects my preferences and conducts searches runs locally and for me, not some third party that wants to sell my information or could get easily hacked and cause numerous headaches.

That sounds great, but it is a fantasy... that will exist of course, but it'll be more like Siri/Cortana/Alexa is today, server driven and universal profiled with an account somewhere.

The number of people who are going to run a "personal home Linux cluster" are the extreme margins, probably less than 1%.

Windows 10 is the most intrusive software yet -- even includes a keylogger.

That sounds SO scary, but it really isn't, it is FUD...

Cortana doesn't function unless it sends your typed or spoken words to MS. Siri and Alexa work the same way.

http://thehackernews.com/2015/...

A whole bunch of "oh my god the scaries" are posted there, but doing what they suggest also turns off a bunch of features. If you plan to use a personal assistant like Cortana, you WANT her to get to know you, it makes her better over time.

This is the same as Google getting to know you, your Google searches when you're logged in are better than when they are not, Google learns you over time and provides a better experience.

As for Apple, they're so much more popular now than they were 20 years ago. I'm impressed with how many university students have them. Many of my family members have Macs, too. I always tell them that PCs are cheaper, but an Apple will "just work" with less hassle.

Don't confuse ancidotes with data. iOS is popular, OS X is not. OS X is hovering around 5% desktop market share, about where it has been for a long time. It simply costs too much to gain much more than that.

As for "just working", that is true, OS X just works, but so does Windows, and has since Windows 7. Win 10 has been by far the smoothest upgrade I've seen. I've installed it on dozens of machines now, as an upgrade, something I never used to do. Windows 7 was a clean install, not an upgrade, but my main machine was several years old, had gone through a motherboard change and multiple hardware changes without a Win 7 reinstall.

Installed Windows 10 on it, 100% of everything worked perfectly at first reboot, nothing had to be touched. MS did a bloody good job with it.

I've toyed with Linux for decades, but now that I've found Cubuntu -- Ubuntu with Cinnamon and no zeitgeist crap; I've found a Linux distro that does literally everything I used Windows for. Web browsing (chromium) 90% of my usage, movie watching (vlc) 5%, then libreoffice, steam, wine for a few games, etc.

Linux had its chance of the desktop market 15 years ago, that ship has sailed and it isn't coming back. Yes, you found something that works, and it does indeed work. But for various reasons that have nothing to do with technology, it isn't going to happen. But you may keep using it of course and it isn't going away, it just isn't going above the 1-2% market share that it has and has had for awhile.

I see a future without Windows.

I don't, and there is the difference. Nothing wrong with your point of view of course, it is colored by your perceptions and biases, as is mine.

Time will tell, but in fairness, nothing you've said is new. Most of those points were made 15 years ago when Win XP launched a

You're a bit behind the times. Both Linux and OS X are now more vulnerable operating systems than Windows.

Show me one Linux vulnerability in the last year that didn't require a highly skilled attacker combined with a set of highly unlikely conditions, or rely on the system to be poorly configured. Hell, forget the year limit. Show me one from within the last decade. Good Luck!

I guess you've forgotten about this. Or you can search for ShellShock or Heartbleed. And then there are the kernel bugs that cause race conditions last December, or last May's bug that allows users to get privileged access or do a DoS, not too good in a shared hosting / shared server environment. This bug has nothing to do with a "poorly configured system". It's a flaw.

Here's the security vulnerability list for the linux kernel for 2014, with 133 bugs.

Some of these bugs made the evening news, so I don't know how you missed them all,

descended to 100 feet into a mountain, right? So the autopilot has no failsafe, it just follows whatever flight commands are made?

I guess we can just rely on the sanity of the flight path programmer, the autopilot, various sensors, and the easily spoofed GPS network to keep us safe.

Just because it's "strictly business" doesn't mean that North Korea wasn't involved. They probably know how to short stocks too.

The broken english used in the threats is a match to a google translation from gramatically correct Russian. That doesn't seem like a coincidence to me. Since the Russians hacked the NASDAQ as recently as July 2014, maybe they had something to do with it. And Russians are known to enjoy manipulating stocks

Mind you, I don't think this has anything to do with manuipulating stocks. I think it is far more likely that it was some person who didn't like Sony very much and the deflection onto the DPRK was just a red herring. But if shorting stock WAS the angle, the Russians have a lot of experience doing it.

I'd like to think that the NSA would have devised something better than Slashdot Beta, if they were not only MITMing Slashdot (as they have done in the past) but replacing it with a whole new system. God only knows what kind of budget the NSA really has; you think they could have come up with a better system than Beta.

Supporting DRM in HTML5, for a start.
http://thehackernews.com/2014/...

That's sure to kill the current worldwide trend in developing countries, where carriers (specially on pre-paid plans) give "free whatsapp and push notifications from fb, tw, etc"

Also, given whatsapp's security track record it should raise some eyebrows.

Offtopic: I actually went and RFTA (Hello! I'm new here) and found the picture in it rather interesting.

It is nice that Apple added encryption to iOS 4 including the encryption of email attachements. But it seems like it was a mistake to depend on it since the protection was silently removed from iOS 7. Does additional encryption in iOS 8 really matter if the feature can be silently removed with an future revision?

I would prefer that data be encrypted by the application regardless of the OS so I can count of the behavior remaining consistent across OS upgrades.

but the fact remains... Windows/Microsoft has been playing catch-up in security where Linux has been leading over the last decade.

So where are those facts?

Because they way I look at it there has been several embarrasing, high-profile successful attacks on Linux servers over the past few years:

Debian server compromised: http://www.zdnet.com/debian-se...
Ubuntu servers compromised: http://www.theregister.co.uk/2...
kernel.org compromised: http://lwn.net/Articles/457142... (we're still waiting for the post morten on that)
linuxfoundation.org and linux.com compromised: http://thehackernews.com/2011/...
red hat and fedora servers compromised: http://www.cnet.com/news/red-h...

(and we do not even mention the OpenSSL fiasco)

So where are the widespread Windows Server compromises?

To be frank, I don't think anyone bothers reporting on them anymore. For a journalist "Linux server compromised" sounds far more sexy than "windows server compromised." These guys, after all, have to get readers in order to put food on the table.