It's a Tile fire, another reason to distrust your new Start Menu

Subject: General Tech | April 17, 2019 - 01:26 PM |
Tagged: windows 8, windows 10, tiles, security, microsoft

*** Update from April 18th, 11:56
Microsoft has now deleted the nameserver record and we no longer control the subdomain. We still haven't received a reply from Microsoft. ***

If you like the animated Live Tiles which offer RSS type feed or even the animated ones that look fancy, there is something you should know.  The domain which provides the content to those tiles is no longer owned by Microsoft, though thankfully a security researcher was quick to notice this and is now hosting the site on his own Azure instance.  Predictably there is a lot of traffic asking for XML file updates to be able to display these feeds and according to the quote on Slashdot, he will not continue to sinkhole requests as it is running up his costs.

At this time Microsoft has not responded, so you might want to seriously consider removing any Live Tiles from your Win8/10 Start menu.

adcf84e0-87e8-4dde-8177-cf3d72570b3b.png

"The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Bock, a security researcher and journalist for German tech news site Golem.de. The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Everybody's flashing for the weekend, even Intel wants a little romance

Subject: General Tech | April 12, 2019 - 12:32 PM |
Tagged: security, patch, Intel, flash

If you and your Intel chips are feeling insecure, why not show them some love this Friday night and flash them with new updates?  There are new updates including one to mitigate Spoiler, and one for the Broadwell U i5 vPro found in the Intel NUC.  There are also software update, which resolves permission escalation vulnerabilities in the Graphics Performance Analyzer for Linux and the Intel Media SDK. 

As when flashing your motherboard or GPU, do be careful to read and follow all the steps, unless you have a love of bricking expensive equipment.  Drop by The Register for links to all four updates.

IMG_5364_large.jpg

"Chipzilla's April patch load includes fixes for a pair of bugs considered by Intel to be high security risks, as well as a speculative execution bug reported by university researchers last month."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

I see your wireless password is early adopter

Subject: General Tech | April 11, 2019 - 12:25 PM |
Tagged: WPA3, wireless, security, bug, dragonblood, sae

WPA3 is a year old and it seems it has a few flaws which still need to be ironed out, though it can still offer better protection than WPA2.  The Inquirer describes this flaw in Simultaneous Authentication of Equals (SAE) handshake, dubbed Dragonblood, in this recent article.  It is not a theoretical architectural flaw, indeed the researchers that discovered it could make use of it to brute-forcing an eight-character lowercase password with about $125 in Amazon EC2 instances; not good for a protocol which was intended to prevent all dictionary attacks. 

The good news is that a change in the SAE algorithm could mitigate this specific flaw and as WPA3 is not yet widely adopted that is something which could be done before it does start to become mainstream.

WFA_Alliance_Flat_Print_HR_NY.png

"Launched in January 2018, WPA3 uses the Advanced Encryption Standard (AES) protocol to improve WiFi network security. However, a new research paper published by Mathy Vanhoef and Eyal Ronen shows that the protocol may not be as safe as previously thought."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

DNS, you are the weakest D-Link!

Subject: General Tech | April 5, 2019 - 01:30 PM |
Tagged: D-Link, security, dns

Do you have a love/hate relationship with DNS and how it makes your life so interesting?  If not, hopefully you aren't using one of the D-Link, ARG-W4, DSLink, Secutech or TOTOLINK routers listed in this article at Slashdot as it is bound to ruin your trust in DNS.  Three distinct waves of attacks, late December 2018, early February 2019, and late March 2019 have been detected by Bad Packets and the attacks continue to this day. 

Using some well known but as of yet patched exploits, hackers are changing the DNS server on those routers so they can easily and invisibly redirect you to cloned sites to harvest account info as you attempt to log into these faked sites.  If you do have one of these routers, see about getting a firmware update from the manufacturer or your ISP ... just don't do it from a machine connected to the router!

D_Link_DSL_2640B_DSL_2640B_ADSL2_2_Modem_with_704675.jpg

"Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers' DNS settings --late December 2018, early February 2019, and late March 2019. Attacks are still ongoing, he said today in a report about these attacks."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Today it's Huawei, let's hope tomorrow doesn't bring a new one

Subject: General Tech | March 27, 2019 - 03:32 PM |
Tagged: Huawei, PCManager, security

ASUS have addressed the issue reported yesterday, if you hadn't seen the updated post, today it is Huawei that is the problem.   As part of the latest update to Windows 10, Microsoft deployed new tools which can detect software accessing the kernel in less than auspicious ways and they immediately spotted an issue with Huawei's PC Manager app, which updates drivers on their products.  All an attacker need do is create malicious instance of the MateBookService.exe and even without running it with full admin privileges they could still gain control of the machine.

The good news, as The Inquirer points out, is that this was patched back in January so unless you haven't updated in a while you are safe.

pc-manager-optimize-100765101-large.jpg

"Security boffins from Microsoft discovered a pretty nasty local privileged execution vulnerability in the Huawei PCManager driver software, found in machines like the MateBook X Pro, after new kernel sensors were brought into Windows 10 through the much-maligned October 2018 Update."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Report: Supply Chain Attack ShadowHammer Leveraged ASUS Live Update

Subject: General Tech | March 25, 2019 - 01:47 PM |
Tagged: ShadowHammer, security, Kaspersky Labs, asus

Update, 3/26/19: As reported by TechRadar this morning ASUS has responded to the issue and implemented a fix to the latest version of Live Update (version 3.6.8) which provides "an enhanced end-to-end encryption mechanism" for the software. ASUS states that they "have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”. The company has also released a software tool to see if your system is affected, available directly from ASUS here (ZIP file).

Further, Bloomberg reports today that ASUS has disputed the numbers from the Kaspersky report, stating the attacks impacted only several hundred devices - and not "over a million" as had been estimated by Kaspersky. An ASUS spokesperson also said that "the company had since helped customers fix the problem, patched the vulnerability and updated their servers," in a statement quoted in the Bloomberg report.

The original news post follows.


Today, unfortunately, we have a perfect example of a supply chain attack posted at Slashdot and a very good reason for anyone using ASUS products to do a full scan on their systems as soon as they can.  It seems that attackers compromised the ASUS update server, forged two different ASUS digital certificates and pushed out malware to about a half million customers when their machines ran an auto-update. Kaspersky Labs published details on their findings this afternoon as well, cautioning that "the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore".

What makes this even more interesting is that the infection was looking for 600 specific MAC addresses, when it found one it would immediately reach out to another server to install additional payload.  This does not mean those without one of the listed MAC addresses is safe, the infection could still be there and modified to install additional nastiness on all infected machines.  According to the information from Motherboard, Kaspersky first detected this in January and have reached out to ASUS several times, as did Motherboard who "has not heard back from the company".

notebook_image.jpg

"The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

It's a good day to be running an AMD APU, unless you like updating iGPU drivers

Subject: General Tech | March 14, 2019 - 12:08 PM |
Tagged: Intel, security, patch, igp

Today there are patches for no less than 19 vulnerabilities on Intel graphics drivers for Windows of various flavours.  Sysadmins out there should also pay attention, as there are  vulnerabilities specific to server chips as well, with patches for a variety of features up to and including the Trusted Execution Engine; if you are using a desktop chip with these features you should also pay attention.  The only silver lining to this is that the vulnerabilities require an already compromised machine to be exploited ... or physical access of course.

You can read through the synopsis of these CVEs over at The Register if you want to ruin your Thursday.

it_crowd_650px.jpg

"Chipzilla's March patch dump is highlighted by fixes for 19 CVE-listed vulnerabilities in its graphics drivers for Windows. If you use Windows and have those drivers (and if you're running an Intel CPU with integrated GPU, you almost certainly do) you will want to patch sooner than later."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

The pen is mightier than the car alarm

Subject: General Tech | March 8, 2019 - 12:57 PM |
Tagged: security, hack, automotive, car alarm

Another week goes by and another half dozen vulnerabilities have been announced, as has sadly become tradition.  If you prefer to jump directly to the Chrome and Win7 ones below feel free, but this particular vulnerability Hackaday describes is a bit different from the norm.  It seems popular car alarm systems from Viper/Clifford and Pandora can be used quite effectively as carjacking tools. 

They both had poorly implemented security protocols which made it fairly trivial to change any users password so you could gain access to the account.  That access allows you to locate the car via GPS, listen to what is going on if the car has a microphone open or lock the doors and even start and stop the engine, as well as triggering the alarm.  This is as they say, a bad thing, and thankfully it was effectively patched once reported to the companies involved.

PEN-TEST-PARTNES-LOGO-04012018.png

"As ethics demand, the group notified the vendors and supposedly the holes have been plugged. Sometimes you hear about a hack that requires some very exotic work, but these were trivially simple. It is unknown if anyone ever used these hacks in a bad way, but it was certainly a real possibility."

Here is some more Tech News from around the web:

Tech Talk

Source: Hackaday

Spoiler alert! Don't have a Meltdown but Spectre isn't the only spooky thing about Intel chips

Subject: General Tech | March 5, 2019 - 06:29 PM |
Tagged: spoiler, spectre, security, meltdown, Intel

******Update*****

A spokesperson from Intel reached out to provide a statement for us.

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”

This is good news as the original report suggested a sofware mitigation might not be possible.

********** End Update ***********

If Tim's post earlier today was bright spot on an otherwise dismal day, then get ready for the clouds to roll back in.  The performance drop experience from protecting yourself against Spectre and it's variants may have been mitigated to a point, however researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lubeck have discovered Intel chips are still vulnerable to a newly discovered vulnerability dubbed Spoiler. 

Like the previous vulnerabilities it exploits speculative execution however unlike Spectre, Meltdown and their variants, it attacks via the Memory Order Buffer, using the timing behaviour it exposes.  If there is one bit of good news in this discovery, it is that only Intel processors are affected and not AMD nor ARM.

Read on at Slashdot if you aren't already depressed enough.

hahahaha-oh-i-made-myself-sad.jpg

"Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets. However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Microsoft Rolling Out Retpoline Optimizations Update to Reduce Performance Impact of Spectre 2 Mitigations

Subject: General Tech | March 4, 2019 - 08:12 PM |
Tagged: windows udpate, spectre, security, retpoline, microsoft, meltdown, cve-2017-5715

Microsoft recently detailed its testing of retpoline optimizations present in Windows Insider Preview builds of its Windows 10 operating system (18272 and newer) and has announced that starting with Microsoft Update KB4482887 on March 1st the company will be rolling out and enabling the Google-developed Retpoline performance optimizations that reduce the performance impact of security mitigations put in place to combat Spectre Variant 2 (CVE-2017-5715). Windows 10 users running 64-bit versions of Windows 10 Build 1809 and newer will have the Retpoline optimizations installed with the KB4482887 and other updates turned on via cloud configuration in a phased rollout.

noretpolineforme.jpg

No retpoline fixups for me, at least not until Microsoft Update stops failing to install a newer build (heh). It may be time to nuke it from orbit and start fresh! If you get this error on a supported build you may have to run this PowerShell script from the Microsoft Support website to get it to work though when I tried I was not able to get PS to import the module...

As a refresher, Spectre Variant 2 is a security vulnerability related to speculative execution that requires CPU microcode as well as OS kernel updates to mitigate. Red Hat summarizes CVE-2017-5715 as “an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system.” Microsoft further clairifies:

“At a high level, the Spectre variant 2 attack exploits indirect branches to steal secrets located in higher privilege contexts (e.g. kernel-mode vs user-mode). Indirect branches are instructions where the target of the branch is not contained in the instruction itself, such as when the destination address is stored in a CPU register.”

Unfortunately, while Spectre Variant 1 was able to be patched at the OS kernel level, Spectre Variant 2 required processor microcode updates (or new hardware with different speculative execution methods) and the patches while necessary to improve security and mitigate potential attacks have an impact on performance. Last year, Google began work on “retpoline” to attempt to reduce the performance impact that these security measures have on systems. Retpoline ended up being much faster than IBRS (indirect branch restricted speculation) which is the default behavior post-mitigations but still slower than regular indirect calls / jumps (pre-mitigations). Retpoline replaces all indirect calls or jumps in kernel-mode binaries with indirect brand sequences that have safe speculation behavior, according to Microsoft. Retpoline applies to all AMD processors as well as Intel Broadwell and older architecture-based chips where the CPU RET (return from procedure) instructions do not speculate based on the contents of indirect call brand prediction. The retpoline methods allow for safe control transfers to target addresses by performing a function call, modifying the return address, and returning it. The optimizations are traditionally done at compile time with indirect calls being replaced with retpoline sequences. Microsoft stated that due to its need for legacy support and third-party driver code, such a compile-time optimization was simply not practical. Instead, Microsoft performs the retpoline optimizations at runtime. It extended the DVRT (Dynamic Value Relocation Table) format and NT Memory Manager to support the new retpoline metadata that can be added to the DVRT without breaking backwards compatibility. Speaking of backwards compatibility, the Redmond-based software giant plans to continue shipping Windows 10 as-is in a non-retpoline state to maintain wider compatibility and software support. Drivers and software that do support retpoline will be able to take advantage of the optimizations, however.

“As mentioned earlier, the Windows implementation needs to support mixed environments in which some drivers are not compiled with retpoline support. This means that we cannot simply replace every indirect call with a retpoline sequence like the example shown in the introduction. We need to ensure that the kernel gets the opportunity to inspect the target of the call or jump so that it can apply appropriate mitigations if the target does not support retpoline.” - Mehmet_Iyigun, Microsoft

DVRT metadata can store retpoline data for import calls/jumps, switchable jumps, and generic indirect calls/jumps, and then the extended NT Memory Manager infrastructure is used to understand that metadata and apply fixups / retpoline optimizations where applicable.

What does all this mean for performance though? Well, according to Microsoft and its internal testing, the company saw approximately 25% faster Microsoft Office application startup times and between a 1.5 to 2-times increase in storage and networking performance which is a notable improvement post-Spectre 2 patches. They also claimed that the performance impact has been "reduced to noise level for most situations." If you are running Windows Insider Preview 18272 or later on supporting hardware the retpoline optimizations should already be turned on for you (you can double check with PowerShell cmdlet Get-SpeculationControlSettings) and if you are running Windows 10 1809 or later the optimizations will be enabled within the first half of this year in a phased rollout.

Until we get new processors that are not affected by the various speculative execution attacks (which could be difficult if not impossible to totally eliminate just due to the nature of how those performance tricks work), optimizations like retpoline to reduce the performance impact of patches that improved security but limited full potential chip performance may well be our best bet.

Are you running one of the Windows Insider builds with retpoline enabled and noticed any increased application performance? You can check out Microsoft’s blog post with all the juicy programming details here. You can find the KB4482887 update information page here.

Related reading:

Source: Microsoft