Snooping passwords from literally hot keys, China's AK-47 laser, malware, and more

Your two-minute guide to the week's infosec bits

Roundup The week surrounding America's "Huzzah, we kicked out the Brits, and will now spell color any way we like" Day, on July 4, is traditionally one of the slowest periods in the annual business tech news cycle.

IT security, on the other hand, never rests. We've covered Google cracking down on non-HTTPS sites, Fortnite cheats getting pwned by malware, a fascinating interview with plane hacker Chris Roberts, and even a new (and poorly written) computer crime novel cowritten by Bill Clinton.

But there were other stories bubbling under, so here's the best of the rest.

Time to get patching Ubuntu

Canonical has issued a rash of new security patches for its Ubuntu GNU/Linux distribution – updates that should be installed as soon as possible.

Not all of these fixes are alike. If you're running a system with an AMD processor, one patch removes an earlier update that was supposed to address the Spectre CPU vulnerability. That microcode-level mitigation left some AMD-powered systems unable to boot, and now has been given the boot from Ubuntu Linux computers.

There's also a security update for Firefox packages, following critical fixes from Mozilla. Ubuntu's handling of PHP, Devscripts, and Archive Zip have also been given some secure code lovin'.

Regarding the Firefox updates, the security fixes were publicly issued by the browser's maker Mozilla on June 25 and 26, however, they are only now making their way to Ubuntu users. Other Linux flavors, such as Debian, pushed out the Firefox security update days earlier to users.

We asked Canonical why the week-long hold up, and a spokesperson told us the Ubuntu team was "waiting for the point release from Mozilla before pushing out updates." The Firefox snap is kept "up to date so users can install that if they want to run the latest version."

Still, the delay irritated some as it meant people were left running vulnerable software while miscreants potentially developed exploits for the disclosed bugs.

Infosec consultant Stephan Verbücheln, based in Switzerland, told us earlier this week before Ubuntu updated its Firefox packages: "Despite this version fixing several security issues with critical risk, Ubuntu has still not updated the version in their repositories. There is no reason to assume that Ubuntu staff was overwhelmed by a sudden Mozilla release."

In any case, if you use Firefox, get the latest updates.

Beware the Therminator

No, not Arnie with a lisp, but instead an interesting bit of research into side-channel data-leaking techniques.

Boffins at the University of California Irvine has been doing some interesting work [PDF] into thermal imaging and passwords. Humans run quite hot thanks to our mammalian status, and it turns out warm fingerprints left on key tops after typing in a password can be observed to snatch one's login credentials.

You might think that the poor thermal conductivity of the average keyboard was negligible, but it turns out a heat-sensing camera can spot keystrokes up to 45 seconds after the keys are pressed. It's a canny bit of research that led the eggheads to postulate that we should consider dumping passwords altogether for a better system.

It's a cute surveillance technique, but one can't help wondering about its practicality. After all, if you have the kind of access to a target that allows this kind of thermal imaging then why not just use a plain old camera to watch typed passwords, install a keylogger, or just look over their shoulder.

Quick links

  • On July 11, the US Senate committee for commerce, science and transportation will hold a hearing on the data-leaking Spectre and Meltdown CPU flaws.
  • Microsoft security researcher Matt Oh has taken apart a malware-laced PDF, reverse-engineering it to great and fascinating detail. Code within the document exploits, now fixed, bugs in Windows and Adobe Acrobat to hijack the machine when opened.
  • Watch out for this macOS software nasty: OSX.Dummy, which is installed by marks if they are tricked into running a command in Terminal that downloads and runs the thing. The malware opens a backdoor, and makes a note of the Mac's root password.
  • We hope you've patched your HP iLO 4 server firmware for CVE-2017-12542, released in August 2017, because research and proof-of-concept exploit code is now floating around. The flaw can be abused to bypass authentication, and execute malicious code remotely. It can be as simple as sending 29 characters in a Curl request.
  • Microsoft's Windows 7 Defender has started receiving malware updates again after a week's hiatus.

Portly piracy suspect is pissed off

The continuing saga of Kim Dotcom opened another chapter when the former owner of one of the most notorious file-sharing websites, Mega Upload, lost his appeal against extradition.

The New Zealand courts ruled against Dotcom's appeal against a verdict that would see him shipped off to the US to face charges of copyright infringement and fraud. His team has promised to appeal again to the country's Supreme Court.

There had been earlier signs of hope for Dotcom, after a court ruling that he couldn’t be extradited for copyright infringement as the crimes occurred outside of New Zealand's jurisdiction. But it was the fraud allegations that stuck.

Old dog, new tricks

One of the oldest families of malware, Rakhni, has received an upgrade.

The code has traditionally been used as a trojan to provide backdoor access to infected Windows PCs. Once installed, it can be used to scoop passwords and login details, but apparently that's no longer enough, according to Kaspersky Lab.

Now the code's masterminds have seen fit to add cryptocurrency-mining code into the software nasty. It's adding insult to injury – first it steals your data, then your CPU cycles.

China perfects laser rifle

Something for the Flash Gordon fans: it seems that the Chinese have developed a laser rifle that actually works.

According to reports the compact, if rather ugly, rifle is dubbed the ZKZM-500 and has a range of half a mile. It can burn through clothing in seconds, burn bare skin, and ignite petrol tanks on cars. It's now ready for mass production, and will be coming to counter-terrorism squads in the Middle Kingdom.

Given that America is already worried about laser weapons being used by the Chinese military against its forces, this new weapon could spark a new, light-based arms race.

Move over Nigeria, Botswana's in town

When you think African computer crime, Nigeria is the first place that comes to mind, thanks to numerous princes of the locale trying to snatch people money.

But there's a new kid on the block, according to police in the southern African state of Botswana. In the last few months, the nation's cops have been deluged with complaints from businesses far and wide that are getting ripped off online by miscreants within the country.

There's the traditional business invoice scams, but also fraudulent suppliers dropping off the radar once the money for orders has been sent, and even some enterprising scumbags using fake Facebook accounts to further aid scamming. ®

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022