Intel puts security on the todo list, Tavis topples torrent tool, and more

A quick catch-up on infosec stuff beyond what we've already reported

Roundup The security world is still feeling the aftereffects of last week's CPU design flaw disclosures, which continued to dominate the news this week, even amid the noisy CES jamboree in Las Vegas.

The Meltdown-slash-Spectre saga, broken by The Register last week, is still causing major headaches, not least for Intel. On Friday, Chipzilla's CEO Brian Krzanich, under pressure over its corp's handling of the processor design flaws, issued an open letter to the industry.

He claimed Intel was committed to fixing things up, and had rolled out patches for 90 per cent of affected systems. What he left unsaid was that some of those patches are causing their own issues. He also acknowledged that the repairs could bring a performance hit, without saying how much.

"We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique," he said. "We commit to provide frequent progress reports of patch progress, performance data and other information."

That last line elicited some hollow laughter at The Reg offices. It wasn't until Red Hat and Microsoft published slowdown figures, as well as a sea of complaints from punters deploying the much-needed patches, that Intel finally released its own numbers.

Signal/WhatsApp scare

Signal is the gold standard in the encryption market and WhatsApp is one of the most widely used communications channel in the world. This week, there was a report of flaws in the two systems.

German researchers at the Real World Crypto conference in Zurich presented details [PDF] about how they had found a way to add new participants to group chats on the two platforms. These ghost members of the group would be able to listen to and record all future messages and conversations between group members.

It sounds scary – the very reason people use these platforms (and Signal in particular) is for privacy. But if you read all the way through the research, the hack looks interesting but is almost unworkable in the real world.

For the WhatsApp crack to succeed, the attacker would need to take control of one of the machines providing the chat service, and add themselves to a group. Crucially, if a snoop added themselves to the group, all of its members would be notified, rather giving the game away.

The Signal hack was even harder. Without having to hack any servers, an attacker could add people to a group chat – but only if they knew the group session's identifying number. This is a randomly generated 128-bit number, so good luck guessing it.

Tavis strikes again

Meanwhile, Tavis Ormandy, a member of Google's Project Zero team, found an interesting little issue with popular open-source torrenting software Transmission.

Ormandy spotted that the Transmission protocol had a flaw that would allow a DNS rebinding attack. An attacker hosting a malware-laden page could use the flaw to alter a victim's DNS server to launch a client-side script.

Transmission is vulnerable to this kind of attack, Ormandy found, and an attack was both quick and easy. Either code could be added to the machine using the website, or a special torrent could be inserted into the download stream to add larger chunks of code.

"I've verified it works on Chrome and Firefox on Windows and Linux (I tried Fedora and Ubuntu), I expect other platforms and browsers are affected," Ormandy said. A patch has now been released.

Transmission was also patched to fix a security flaw in its server-client design, again found by Ormandy.

And finally, watch out for some new macOS malware doing the rounds: MaMi, which hijacks your DNS settings. Plus, here's an in-depth look at that $100,000 payout Uber made to hackers who found its AWS private keys accidentally left on GitHub. ®

Biting the hand that feeds IT © 1998–2020