Security and privacy Q&A

“Nice try, FBI!” :slight_smile:

2 Likes

The Mac freedom from ransomware danger might be ending, alas.

I’ve never understood the argument that Apple has such a low percentage of the market that it is a less likely target when ALL the studies show they have the most affluent user base. I would think they’d be prime targets.

1 Like

Interesting, Google is working on a feature that will warn if your private info is being traded on “the dark web” :notes: (ominous sound plays).

One of the latest breach /hack methods. As an engineer I’m very impressed with the skills deployed to surface this.

It is potentially significant in a Tom Clancy novel sort of way, but too soon IMHO to get a gauge of real world impacts…

Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away | Ars Technica

2 Likes

This is such a (checks dictionary) pernicious threat. Apps that you trust which later go rogue. I’m afraid the same thing could happen with the Windows equivalent.

3 Likes

So today on Reddit someone said “Look how old the files are on this USB stick I found!”, and basically every single comment is “congratulations, now you have a virus/trojan”.

I guess at some point I forgot that USB sticks are a point of concern. Is it really that easy to get hacked on Windows 11 just by plugging in a usb stick? As in “even if you don’t preview or open any files”?

Edit: Whelp… I guess I forgot about some of this. According to Bing:

I totally forgot about the trick of making a USB stick report as a keyboard, which is still (right?) allowed without any admin prompt confirmation, which means once it’s plugged in and auto-installed as a device, it can now send keystrokes. Scary stuff! Man… new phobia unlocked.

6 Likes

The government is terrified of USB sticks. Over the years, I have tried to submit information to the Courts and to Administrative Agencies on a thumb drive and have always been greeted with the same distain normally reserved for public enemies.

5 Likes

With good reason.

In operating environments subject to DoD and Nuclear Regulatory Commission regulations, plugging an unauthorized device into a secured system can lead to imprisonment.

I am familiar with situations in which foreign nationals were given tours of secure facilities at the request of US agencies. Security sweeps after the visit ended found thumb drives scattered in bathrooms, break rooms and parking lots. The thumb drives even had the facility’s company logo on them. Subsequent forensic analysis confirmed the presence of self loading malware that would’ve attempted to open firewalls and “phone home”.

2 Likes

Isn’t that how the Stuxnet virus was delivered?

1 Like

I heard that somewhere.

2 Likes

FBI’s Most Wanted Thumb Drive List
#3 Bronsky

2 Likes

Yeah on the commercial side our support folks see the majority of infected systems were caused by a USB stick.

In one case at a big insurer, 18 systems were infected by the same shared USB stick, which to make things worse, came from one of their vendors.

We here know they can be dangerous, but I’d venture to say the large majority generally are unaware.

2 Likes

Here we go again…

What’s doubly bad is that a couple of these flaws came to be from Intel microcode mitigations for the other James Bond themed flaws, Spectre…

Downfall Vulnerability Affects Millions of Intel CPUs With Strong Data Leak Impact (techrepublic.com)

PS: Yes this is almost a month old , but it flew under the radar for many, including me. :frowning:

2 Likes

I Think we will have to wait for the newest architecture and instructions released in the 15th gen and the advent of the new AVX10 and APX instruction set to advance toward a solution to the speculative execution problems :

Extract :

« APX also undoes many risky performance-improvement features that Intel has implemented in previous chips.

The company uses a feature called “speculative executive” to anticipate processor behavior. By predicting behavior, the chip was able to reduce delays and run some applications much faster.

But speculative execution has its own issues and was at the center of the Meltdown vulnerability detected on Intel chips in 2018.

The APX instructions have provided an opportunity to remove branch prediction, which typically assigns a task for execution based on “true” and “false” values.

“We can remove that and turn it into a conditional move. If that condition is this, then move this or that? No branch needed,” Singhal said. »

2 Likes

And it doesn’t help things that more and more the companies are spending more time hiding flaws than preventing them in the first place.

Libwebp is used in tons of custom/vertical market apps as well…

Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters | Ars Technica

1 Like

Whoops… A side channel vulnerability of the A- and M-series Apple Silicon CPUs allows leakage of passwords. On the upside, while it’s a 0-day, the author writes “the chances of this vulnerability being used in real-world attacks anytime soon are slim, if not next to zero”.

1 Like

Completely unrelated, but early 2022 the IRS said they would move away form using the facial recognition service offered by ID.Me. So much to my surprise I find that the only way to get tax transcripts from the IRS electronically in late 2023 is using … you guessed it, that very same ID.Me. Pretty disappointing.

I’m very surprised that this hasn’t gotten more attention than it has to date.

What’s equally troubling is not only the breadth and depth of Hemisphere itself, but the alleged degree with which they shared/sold data not only to our government, but also select other governments and even private companies.

I hope that perhaps this will finally force a public reckoning on some of these potentially very serious invasions/incursions and force some much needed oversight since the company(s) involved have not current incentive to do so, and in fact have lots of reasons to remain opaque on all this.

US Senator calls for the public release of AT&T ‘Hemisphere’ surveillance records (engadget.com)

3 Likes

This is truly frightening:

“Four billion new records are getting added to its database every day, and a federal or state law enforcement agency can request a query with a subpoena that they can issue themselves. Any law enforcement officer can send in a request to a single AT&T analyst based in Atlanta, Georgia, Wyden’s letter says, even if they’re seeking information that’s not related to any drug case. And apparently, they can use Hemisphere not just to identify a specific number, but to identify the target’s alternate numbers, to obtain location data and to look up the phone records of everyone who’s been in communication with the target.”

Now, attach this to an LLM…

3 Likes