Club PA 2.0 has arrived! If you'd like to access some extra PA content and help support the forums, check it out at patreon.com/ClubPA
The image size limit has been raised to 1mb! Anything larger than that should be linked to. This is a HARD limit, please do not abuse it.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

[Computer Security Thread] On a vulnerable trail, CPU full of zombie

15758606263

Posts

  • FearghaillFearghaill If there is nothing but what we make in this world let us make goodRegistered User regular
    LD50 wrote: »
    kaliyama wrote: »
    Fearghaill wrote: »
    To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.


    We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.

    They almost made it a whole day before begging to have the filters turned back on.

    If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.

    I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.


    I think that's a pipe dream. Most users either are too inept to understand the information you'd give them in this case.

    I think the only thing you can really do is have your level 1 support do some handholding with spam filter related issues.

    I don't know about inept, at least in my case. I feel like everyone I work with could handle this stuff with proper training, the hard part is convincing them to make time to take it. I put a major push on getting people to take our introductory cybersecurity course the year it was launched, and I feel like even getting 1/3 of our users to attend was an accomplishment. It's mandatory for all new users, but people that have been here for decades can be a harder sell.

  • kaliyamakaliyama Left to find less-moderated fora Registered User regular
    edited January 23
    Fearghaill wrote: »
    kaliyama wrote: »
    Fearghaill wrote: »
    To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.


    We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.

    They almost made it a whole day before begging to have the filters turned back on.

    If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.

    I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.


    There was nothing malicious in our decision to comply - they demanded it, we did our best to explain why it wasn't a good idea and offer alternatives, they insisted, and the IT director at the time said to do it. Once they saw for themselves that we weren't exaggerating about how much spam is stopped beyond what they see in their quarantine list, they agreed to have it turned back on. The "begging" was more theatrics on their part, as they had a sense of humor about it. This was years ago, before the current system. Currently our users get emailed summaries at 4 different points throughout the day, and can check the filter at any time through an Outlook plugin and/or mobile app.

    I'm aware of the importance to the business to get it right on these things, but it's a line that's getting harder to walk. When I started here I would have said we should err on the side of permissiveness, as it's better to let a dozen spam messages through than to block or delay 1 legitimate email, and while I still think that's broadly true it's getting less clear-cut as email based scams get more sophisticated and more potentially damaging. False positives are still just as bad as ever, but if the filters are too loose we start seeing wire transfer scams and fake invoices with ransomware payloads get through. The NotPetya attack from a couple years ago took one massive law firm (DLA Piper) offline for three full days, with 0 IT systems outside of mobile phones and texts. That's a lot more than one missed client email.

    Part of the answer is as you say, giving users access to the spam quarantine and training on how to use it, but unless those in charge make security training mandatory for everyone, that is an incomplete solution. Too many of these scams are designed not to fool security software, but to trick the user into circumventing it themselves. As I mentioned above, we've had two instances where computers were infected because the users believed a fake file transfer email was a legitimate client communication and effectively invited a virus onto their computers.

    Agree completely. Your answer highlights that ultimately users will have to exercise judgment and no filter can replace that judgment. This is probably already an obvious best practice, but if useful to you, our IT Dept has had lots of success in educating users with red team exercises where they send fake spearphishing emails and payloads to users and anybody who falls for it gets additional training. It is a nice way of solving some political issues - the oldest users most resistant to training are likely to have the most sensitive info. Showing them their vulnerability in a real world context helps overcome resistance to training and has been a useful teaching moment in itself.

    kaliyama on
    fwKS7.png?1
    Fearghaill
  • FearghaillFearghaill If there is nothing but what we make in this world let us make goodRegistered User regular
    edited January 25
    Lets play What's Wrong With This Email?

    ppNr3XY.png

    What I have so far:
    1. Official legal notices probably shouldn't come from gmail accounts.

    2. It's weird how they at no point mention the name of the person they are sending this to, or their company anywhere in the email

    It’s almost like they want to send the same email to thousands of people without needing to change anything.

    3. it's even weirder that that they don't mention their own name or company anywhere either

    4. Sending a single document through Google Docs or similar is not normal, unless you don't want it virus scanned...

    5. Password protecting and putting the password in the same email adds no security... but it does make it harder to scan the file, or convert it to a PDF before opening

    6. Threatening deadlines, weird grammar/punctuation

    7. Who the hell sends legal notices through a Google Form?

    Fearghaill on
    Bucketman
  • FearghaillFearghaill If there is nothing but what we make in this world let us make goodRegistered User regular
    also the passcode is something an idiot would use on his luggage

    DehumanizedTetraNitroCubaneShadowfireSiliconStewIanatorJazzBahamutZEROMvrckNaphtaliXeddicusBucketmanJaysonFourStormwatcherAustinP0027
  • MugsleyMugsley Registered User regular
    .....shit

    FearghaillTetraNitroCubaneTamerBillIanatorfurlionJazzDizzenBahamutZEROMvrckVoodooVPolaritieXeddicusBucketmanJaysonFourkimeevilbobStormwatcherCampy
  • RadiationRadiation Registered User regular
    Look, Silen Ebel is a well respected legal action notification person. Seems totally legit.

    PSN: jfrofl
    FearghaillMugsley
  • CaedwyrCaedwyr Registered User regular
    My company recently sent an email out for a security refresher quiz they wanted everyone to fill out. The fun begins with them using an email address from outside of our company's domain and not from one of the common online quiz providers. It then continues with all the images in the email being blocked automatically by our email filter and we don't even have the option of showing blocked images. Of course as is standard with corporate communications all the important text in the email is actually in a .jpg embedded in the email and not in text. This leaves us with a dodgy looking link emailed to everyone from an unknown email address with a short bit of text saying "check out this privacy quiz" and no signature.

    Unsurprisingly, a huge amount of employees flagged it as a phishing attempt. A couple of weeks later, we start getting nag emails and comments from IT security representatives in the company through typical emails about how we should all do the survey. General response is "what survey?". This goes back and forth for a couple of weeks before we are told "okay, ignore all the stuff we have told you to do regarding phishing attempts and just click on the link and fill out the survey". People do so and then in the survey basically this exact scenario is presented and we are told that we should do what everyone did initially, but were then told by IT security people to bypass.

    I think we've all learned a lot from this experience, but I don't think it was what IT security was hoping to teach us.

    ShadowfireOrcaBucketmanTetraNitroCubaneMugsleyIanatorLostNinjaBahamutZEROfurlionFrema5ehrenNaphtaliJazzJaysonFourKayne Red RobekimeMvrckFeralDarkewolfe
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Caedwyr wrote: »
    My company recently sent an email out for a security refresher quiz they wanted everyone to fill out. The fun begins with them using an email address from outside of our company's domain and not from one of the common online quiz providers. It then continues with all the images in the email being blocked automatically by our email filter and we don't even have the option of showing blocked images. Of course as is standard with corporate communications all the important text in the email is actually in a .jpg embedded in the email and not in text. This leaves us with a dodgy looking link emailed to everyone from an unknown email address with a short bit of text saying "check out this privacy quiz" and no signature.

    Unsurprisingly, a huge amount of employees flagged it as a phishing attempt. A couple of weeks later, we start getting nag emails and comments from IT security representatives in the company through typical emails about how we should all do the survey. General response is "what survey?". This goes back and forth for a couple of weeks before we are told "okay, ignore all the stuff we have told you to do regarding phishing attempts and just click on the link and fill out the survey". People do so and then in the survey basically this exact scenario is presented and we are told that we should do what everyone did initially, but were then told by IT security people to bypass.

    I think we've all learned a lot from this experience, but I don't think it was what IT security was hoping to teach us.

    I just got an email last week from "[email protected]*.*.oracleoutsourcing.com" that was about my credit card reporting for expenses. It had a bunch of links that were obscured by an incredibly long internal SSO redirect (basically making it impossible to understand unless you were already familiar with those kinds of links and how to read them).

    Like, this was a legitimate email that came from a nonsense sender with incredibly generic text and gobbledygook outgoing links and they expect normal employee users to actually click this, after forcing us all to go through phishing training (with corresponding mandatory quizzes) that tell us to explicitly ignore this exact scenario. In all honesty anyone who clicked the links on the email instead of logging on directly to Oracle to confirm should be forced to go through security training again, because the only thing missing to set off red flags were random spelling errors.

    Three things in human life are important: the first is to be kind; the second is to be kind; and the third is to be kind.
    Bucketman
  • BahamutZEROBahamutZERO Registered User regular
    why are random spelling errors so common in that kind of scam anyway

    BahamutZERO.gif
  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    why are random spelling errors so common in that kind of scam anyway

    I think the general consensus is that anyone smart enough to catch the spelling errors would not fall for the scam anyways. So it lets them weed out those people.

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
    ShadowfirekimeDarkewolfe
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited February 2
    In the continuing saga of "No, your data isn't safe anywhere", it looks like somewhere over 2 billion credentials have been leaked.
    Like a bad movie, the sequel to the “Collections” data breach—Collections #2-#5— have snared an estimated 2.19 billion email addresses and passwords, far more than the original leak.

    Researchers at the Hasso Plattner Institute have reportedly discovered that that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 database. That brings the total to 2.19 billion, though its not clear whether some of this information may have been circulated elsewhere, according to heise.de.

    tl;dr - Your password is probably compromised.

    TetraNitroCubane on
    VuIBhrs.png
  • MugsleyMugsley Registered User regular
    Fuck

    TetraNitroCubaneOrcaDisruptedCapitalistShadowfireBucketmanfurlionJragghen
  • OrcaOrca Registered User regular
    Well the good news is none of my normal-use addresses are in the database.

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    DisruptedCapitalist
  • BucketmanBucketman Call me SkraggRegistered User regular
    I'm just changing all mine and suggesting all my friends do as well.

    furlion
  • BahamutZEROBahamutZERO Registered User regular
    My primary account's shown up in this sort of bundle something like 8 times in 8 years from various big database security failures. No one has actually bothered to steal it each time before I changed the password, but I ought to figure out how to use a password manager.

    BahamutZERO.gif
    Gear Girl
  • DarkewolfeDarkewolfe Registered User regular
    Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.

    I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.

    What is this I don't even.
    BucketmanOrca
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    Since we're on the topic of passwords, and the EXTREME risk of password re-use, I was hoping we could re-visit the discussion of password managers.

    Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.

    Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).

    VuIBhrs.png
  • bowenbowen How you doin'? Registered User regular
    You should make your email password one that's easy to remember and use 2fa.

    This way if all else fails, you can still get into your email and recover everything from there. Getting a new phone to replace your old one is relatively easy anyways for the 2fa stuff.

    The worst stuff is when 2fa uses something like google authenticator and you don't have the recovery keys. Make backups.

    Ladies.
    BucketmanShadowfire
  • MugsleyMugsley Registered User regular
    It's more of a bitch that the way Google authenticator handles switching devices is "remove authenticator from that account and then add it back." There's got to be a better way when I get a new phone.

    FremJragghen
  • bowenbowen How you doin'? Registered User regular
    I save the codes and just readd them when I get a new phone.

    Ladies.
  • TelMarineTelMarine Registered User regular
    Since we're on the topic of passwords, and the EXTREME risk of password re-use, I was hoping we could re-visit the discussion of password managers.

    Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.

    Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).

    The way I've been doing it is for "important" stuff, I memorize the password: e-mail accounts, bank accounts, game logins, etc. I mainly use my password manager for accounts that I know I'm not going to be using that often and small (in importance) and I don't want to have to remember yet another password. Some accounts I would use only a few times a year and always forget the password. It has REALLY REALLY helped, and I have over 40 accounts in there now. It's crazy how every website in this universe requires you to create an account, there's no way that's manageable without reusing passwords or getting a password manager.

    3ds: 4983-4935-4575
  • DarkewolfeDarkewolfe Registered User regular
    Since we're on the topic of passwords, and the EXTREME risk of password re-use, I was hoping we could re-visit the discussion of password managers.

    Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.

    Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).

    I personally feel that while there's risk to everything, the risk of a password manager (with an insanely long password) being breached is far lower and enables me to use highly complex, individual passwords for all my accounts.

    What is this I don't even.
    OrcaFearghaillBucketmanEntaru
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    edited February 16
    I've used LastPass for years and love it. I have a different password for everything (and you don't realize how many freaking things need an account and a password now until you have to track them), and every time there's news about another breach I roll my eyes because: (a) I don't share passwords for anything, so even if Peter's Pizza were shitty and lazy and lost my password because I ordered from them that one time it doesn't impact anything else, and (b) I just go and change my passwords whenever I need to and I move on with my life.


    Edit: I've heard of people who don't even save passwords except for their most important ones, and they literally just have their password managers generate a new password every time. As long as you have access to your email account and you don't mind resetting your password for each login, it's an interesting approach to say the least.

    Inquisitor77 on
    Three things in human life are important: the first is to be kind; the second is to be kind; and the third is to be kind.
  • DonnictonDonnicton Hey it's me, your old pal Movie Sonic - let me in. LEMME IN. Registered User regular
    https://gizmodo.com/why-ji32k7au4a83-is-a-remarkably-common-password-1833045282

    Well this is pretty neat.
    For too many people, moving the digits around in some variation of Patriots69Lover is their idea of a strong password. So you might expect something complicated like” “ji32k7au4a83” would be a great password. But according to the data breach repository Have I Been Pwned (HIBP), it shows up more often than one might expect.

    This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by HIBP over a hundred times.


    Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, “ji32k7au4a83" has been seen by HIBP in 141 breaches.

    Several of Ou’s followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it’s showing up fairly often in a data breach repository is because “ji32k7au4a83" translates to English as “my password.”

    ...

    It goes on to explain in depth how the unicode translates this way. It's basically the Chinese equivalent of calling your password "password".

    This is one of those weird security quirks you'd likely only start to recognize after someone points it out to you at least once.

    bowenTetraNitroCubaneNaphtaliLaOskimeMvrckDizzenfurlionBucketman
  • NEO|PhyteNEO|Phyte They follow the stars, bound together. Strands in a braid till the end.Registered User regular
    Sounds like Intel CPUs have yet another security hole.
    https://www.techpowerup.com/253285/spoiler-alert-new-security-vulnerability-found-affecting-intel-cpus
    I am not sufficiently security savvy to work out exactly how bad this one is, I feel like we've already had some speculative execution vulnerabilities in the past.

    It was that somehow, from within the derelict-horror, they had learned a way to see inside an ugly, broken thing... And take away its pain.
    Warframe/Steam: NFyt
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    You gotta trick the chip into speculatively executing code with elevated privileges, cancel the execution, and read back the address of the elevated code before it clears up, then put your malicious code there then try to spec-exec the same code again, only it’s yours now. I think. But yeah arbitrary code execution is kind of a bad thing.
    The answer is to sandbox their speculation system but they can’t because it’s literally spare runtime on the main core.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • OrcaOrca Registered User regular
    Looks like at some point my "don't-give-a-fuck" password got compromised in one of the endless series of leaks.

    I got the "Your account has been hacked! You need to unlock." bitcoin phishing email sent to an email I had set up specifically for imgur. The email contained the old "don't-give-a-fuck" password in it, which made me look at it much more closely (after I'll admit an instant of panic since the password lends credibility--clever).

    Guess it's time to update my don't-care password to something new. *mutter*.

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    DisruptedCapitalistfurlionLostNinjaShadowfirePolaritiebowenBucketmanTetraNitroCubane
  • 3lwap03lwap0 Registered User regular
    why are random spelling errors so common in that kind of scam anyway

    Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.

    I think Pringles original intention was to make tennis balls... but on the day the rubber was supposed to show up a truckload of potatoes came. Pringles is a laid-back company, so they just said, "Fuck it, cut em up!".
  • FearghaillFearghaill If there is nothing but what we make in this world let us make goodRegistered User regular
    3lwap0 wrote: »
    why are random spelling errors so common in that kind of scam anyway

    Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.

    I’d also heard there was an element of target selection - anyone aware enough to be warned off by spelling/grammar errors probably isn’t going to fall for the whole scam, so a few deliberate errors makes sure they don’t waste time on anyone but the truly oblivious and gullible

    kime
  • 3lwap03lwap0 Registered User regular
    Fearghaill wrote: »
    3lwap0 wrote: »
    why are random spelling errors so common in that kind of scam anyway

    Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.

    I’d also heard there was an element of target selection - anyone aware enough to be warned off by spelling/grammar errors probably isn’t going to fall for the whole scam, so a few deliberate errors makes sure they don’t waste time on anyone but the truly oblivious and gullible

    Hmm - not sure I've seen that. Typically, for spear phishing e-mails, you want them to be as precise and legitimate looking as possible. For ESL scammers, that's kind of tough for linguistic reasons. Like sort of...Italian to English because Italian's who write in (while having a good mastery of speaking it) English typically struggle with comma usage or other mid-sentence punctuation, and to a native English speaker it'd look kind of suspicious. I see this with wire transfer fraud e-mails to CFO's and other money people - "Please send me $$$, honest". Those are good ones - well done, targeted, and convincing as heck.

    The others depend on what the motives of the spammer's are I think - keep in mind malspam is still the top way to send malware and infect victims. It's cheap, and still works. Financial fraud e-mails tend to do their best grammar wise, but malspam e-mails, in my observation anyways, don't really care. Just click the link or open the attachment.

    I think Pringles original intention was to make tennis balls... but on the day the rubber was supposed to show up a truckload of potatoes came. Pringles is a laid-back company, so they just said, "Fuck it, cut em up!".
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    This has been a developing story for a while now, but I think it's still worth talking about here if we can.

    Kaspersky Labs has reported about a supply-chain attack on ASUS hardware.
    Thanks to a new technology in our products that is capable of detecting supply-chain attacks, our experts have uncovered what seems to be one of the biggest supply-chain incidents ever (remember CCleaner? This one’s bigger). A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.

    The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.

    This attack has apparently been going on since June or July of 2018. The fact that the attack vector is, in fact, the Legitimate ASUS LiveUpdate utility is what makes it so insidious. Usually we trust a manufacturer's own distribution channels. This attack is particularly awful on another layer, because the BIOS is compromised in the process - Meaning that reinstallation of the OS is not a promise of removing the malware from the machine.

    Strangely, the initial attack seems to have been scanning target machines for very specific MAC addresses - only a few hundred machines were ever the subject of that attack. Now that it's out in the wild and known, I'd presume other bad actors are trying to leverage infected machines.

    Kaspersky and ASUS have released tools to analyze if you are impacted by this attack - now known as Shadowhammer.

    One thing that remains unclear to me is if ASUS hardware remains vulnerable even if you don't use their ASUS LiveUpdate utility. I presume not, but then again I don't know where Windows Update pulls their ASUS drivers and the like.

    VuIBhrs.png
  • LD50LD50 Registered User regular
    Strangely, the initial attack seems to have been scanning target machines for very specific MAC addresses - only a few hundred machines were ever the subject of that attack. Now that it's out in the wild and known, I'd presume other bad actors are trying to leverage infected machines.

    This isn't as strange as it sounds. By limiting the targets it significantly reduces the chance of the malware being detected (which given how long this has gone on undetected, it seems like it worked).

    Kaspersky and ASUS have released tools to analyze if you are impacted by this attack - now known as Shadowhammer.

    Man, I hate the people who name this shit. They have clearly named this attack after rowhammer, because rowhammer sounds scary, but this has nothing to do with rowhammer in any way. Hell, it's not even an exploit.

    TetraNitroCubanePolaritie
  • LostNinjaLostNinja Registered User regular
    Ugh, I have an ASUS desktop but don’t think I’ve ever used live update unless it’s just in the background.

    Also they Kasperski found it makes me sad all over again that they are at least marginally untrustworthy due to the whole Russia connection. Best AV I’ve had :(

  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    What the hell, that's downright evil and predatory. I can't believe Office Depot looked at one of the most insidious scams, specifically one preying on aging computer-illiterate folks, and thought "Hell yeah, let's get a piece of that action".

    Disgusting.

    VuIBhrs.png
    ShadowfirekimeDisruptedCapitalistOrcaMvrckJazzLostNinjafurlionPolaritiebowen
  • DrascinDrascin Registered User regular
    edited April 3
    Darkewolfe wrote: »
    Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.

    I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.

    The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.

    I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.

    Drascin on
    Steam ID: Right here.
  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    Drascin wrote: »
    Darkewolfe wrote: »
    Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.

    I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.

    The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.

    I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.

    Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
    Orcabowen
  • OrcaOrca Registered User regular
    I have used KeePass for the last...uh...8 years? And it's great on Android with Dropbox. iOS is much more of a pain in the ass due to the permissions problem (you need to manually sync your database, and who ever remembers to do that?). Still, it's worth it.

    Get the email of shame "we got compromised, we value security, more lies about privacy, etc.", just generate a new password and roll your eyes. Don't have to sweat changing 50 different accounts because one of them got compromised.

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    Inquisitor77Banzai5150thatassemblyguy
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Been using LastPass for years. Highly recommended. Also hear good things about KeePass.

    Three things in human life are important: the first is to be kind; the second is to be kind; and the third is to be kind.
    Jebus314
  • CampyCampy Registered User regular
    I started using Enpass a few months ago after years of dithering.

    I can safely say that past-Campy is a royal jeb end for not doing it sooner.

Sign In or Register to comment.