Let’s get caught up on computer security news! The big news is Shadowhammer — The Asus Live Update Utility prompted users to download an update that lacked any description or changelog. People thought it was odd, but the update was properly signed by Asus, and antivirus scans reported it as safe.
Nearly a year later, Kaspersky Labs announced they had confirmed this strange update was indeed a supply chain attack — one that attacks a target by way of another vendor. Another recent example is the backdoor added to CCleaner, when an unknown actor compromised the build system for CCleaner and used that backdoor to target other companies who were using CCleaner. Interestingly, the backdoor in CCleaner has some similarities to the backdoor in the Asus updater. Combined with the knowledge that Asus was one of the companies targeted by this earlier breach, the researchers at Kaspersky Lab suggest that the CCleaner attack might have been the avenue by which Asus was compromised.
Shadowhammer sits quietly on the vast majority of machines it infects. It’s specifically targeted at a pool of about 600 machines, identified by their network card’s MAC address. We’ve not seen any reporting yet on who was on the target list, but Kaspersky is hosting a service to check whether your MAC is on the list.
While we’re still waiting for the full technical paper, researchers gave a nearly 30 minute presentation about Shadowhammer, embedded below the break along with news about Dragonblood, Amazon listening to your conversations, and the NSA delivering on Ghidra source code. See you after the jump!
WPA3 and Dragonblood
WPA3 is a thing now. It was designed to mitigate the weaknesses of WPA2, barely any devices support it yet, and already a paper with a fancy name has been released detailing its weaknesses. Dragonblood. The authors have identified a Denial of Service weakness and some side-channel key attacks. The two attacks that I find most interesting are a downgrade attack, and a timing attack.
The downgrade attack abuses the built-in support for WPA2, intended for older devices. An attacker is able to launch a man-in-the-middle attack against a client attempting to connect to the network. Even though the protocol detects the attack and aborts the connection, enough information is leaked to enable an offline dictionary attack.
A second attack is a timing attack against one of the password derivation functions of WPA3. By measuring the amount of time taken to run this derivation function, an attacker is able to determine statistical information about the password or key being processed.
The authors also talked about the possibility of using Spectre-style cache attacks to extract more information about a user’s password. A combination of these statistical data sources could give an attacker enough information to derive the user’s password, if it appeared in the attacker’s dictionary. The takeaway is the same as always, pick long passwords that aren’t likely to be found in dictionaries.
I Always Feel Like, Somebody’s Listening Me…
And I Have no Privacy…
In news that can only be described as startling and yet obvious, Amazon send snippets of sound captured by Alexa to contractors and employees, in order to better train their speech-to-text neural network. It’s obvious, because what else could Amazon do when Alexa can’t understand us, but ask humans to listen. It’s also startling to think about all the strange noises Alexa listens in on, from bad singing in the shower, to private conversations not meant for anyone else. Now we know, someone really is listening — maybe.
NSA Makes Good on Open Sourcing Ghidra
You may remember that we talked about the NSA’s newest open source effort, Ghidra. The source code has since been pushed to Github, and pull requests have been rolling in. The usual warnings apply: Make sure you download from a reputable source.
Security is a never-ending task, so we’ll inevitably be back with more. Know of something that we should cover, drop it in our tipline!
21 thoughts on “Shadowhammer, WPA3, And Alexa Is Listening: This Week In Computer Security”
I know. It’s a spoof of “Somebody’s Watching Me” by Rockwell. Adding the extra syllable (“To”) just throws off the meter.
Yeah, I don’t think it meant that MS Millenium Edition was physically listening…
Next non-surprise revelation: amazon picks out keywords in your “private” conversations in order to target you with ads?
I wouldn’t be surprised if Google is doing this on android devices – I’ve had a friend have conversations with customers where the customer mentions products/services he has never used, and he sees ads for them later that day… Maybe coincidence, but wouldn’t be surprised if otherwise in the least.
Well if you use Chrome, I’m sure that SwReporter will check your running processes for that. So many companies spy on people these days it would be easier to list the ones that do not.
Checks running processes for what?
(Why does HaD need JS now to leave a reply??)
>The usual warnings apply: Make sure you download from a reputable source.
The real question is: Is the NSA a reputable source and for what?
I won’t even comment on this Alexa-thing, nothing to see here. It’s a microphone connected to the web, it does what it is supposed to do = send your voice to some shady servers/companies/TLA.
The claim is to find software that may cause chrome issues from functioning correctly, but the reality has to be, that it is used to profile for better ads – it is Google/Alphabet after all.
You’re either on camera or your voice is recorded somewhere every day.
What I’d like to know is, does an undetectable ad blocker exist?
It’s annoying to go to a site, and see “ad blocker detected”.
I could turn off JS but some of the local news channels require it.
I usually just find the blocker detected code and block that but as I said, it gets annoying at times.
I don’t pay for internet to be blasted with ads. It seems these virus creators etc. are finding more
creative ways to send virii, spam and ads and it’s a constant battle to keep up sometimes.
I just want an enjoyable internet experience without having ads shoved onto my screen every time I visit a website.
“I just want an enjoyable internet experience without having ads shoved onto my screen every time I visit a website.”
Like HaD? ;-)
Yep. HaD doesn’t have too many ads but some sites are overloaded with flashing banners etc.
Very distracting. I don’t mind an ad or two but sheesh.
I’d have to agree with that one l- reasonable amount of adds is tolerable but some sites are
The whole site detecting what my system is i really don’t like.
“I don’t pay for internet to be blasted with ads”
I don’t like ads either but when you “pay for Internet”, you pay for your access to the network, not for content, which costs money to produce.
It would be quite the bill if we were. Maybe that’s why paywalls are so hated? It puts the truth in our faces.
Why do you make a difference? You do agree the only reason to connect to the network is to connect to a distant server in order to access its content, right?
“I don’t pay for internet to be blasted with ads”, exactly. Considering that ads take up bandwidth and on metered connections they actually have a quantifiable cost. So you pay to see ads.
Google even gets paid by your ISP to deliver those bytes…
please do these security news wrapups again, i like hearing it from you guys for sure
“What I’d like to know is, does an undetectable ad blocker exist?
It’s annoying to go to a site, and see “ad blocker detected”.”
There is no undetectable ad-blocker because the way that it works is that the default static page is the one that shows you “ad-blocker detected” and then the site uses JS and other methods to deliver the actual content. Because scripting is used to talk between the client (your browser) and the server it is trivial to determine that an ad or script blocker is running, if a script doesn’t phone home then it is being blocked from running.
That being said, i am having great success with Ublock origin and no script. The default settings are to block and then i whitelist domains as necessary, as they show you which domains that the site is trying to pull scripts from. For example: HAD is trying to pull from 8 different domains, some of these make sense like YouTube for the embedded video or WordPress as that is the back-end for the site, but they are also pulling in from doubleckick which is an ad provider. That being said, none of those scripts are actually required to interface with this site as all of them are blocked and i still wrote this comment.
What were the security weaknesses in WPA PSK? Last I checked if you couldn’t brute the key you were SOL
Also, evil twin just did a DOS on the original AP and social engineered with OEM HTTP page clones, so I’m curious what is improved?
i just got tracked by 4 social media sites by loading this page (not including H.A.D.) without needing to sign up or sign in, that is why i dont read HackADay much anymore, simple realization that this “payment” is just not worth it.
those little buttons you (might) never use actually get loaded every time you click, this clicking gets tracked, sold, and hacked, even if it does not result in ads or creepy harassment-style calls.
sure, the parent companies are secure, thats why they keep getting hacked?
and what about information sale? the buyers have good security hmmm?
is that why they keep getting hacked too?
so yes, i do use facebook, but not by choice.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)