Let’s get caught up on computer security news! The big news is Shadowhammer — The Asus Live Update Utility prompted users to download an update that lacked any description or changelog. People thought it was odd, but the update was properly signed by Asus, and antivirus scans reported it as safe.
Nearly a year later, Kaspersky Labs announced they had confirmed this strange update was indeed a supply chain attack — one that attacks a target by way of another vendor. Another recent example is the backdoor added to CCleaner, when an unknown actor compromised the build system for CCleaner and used that backdoor to target other companies who were using CCleaner. Interestingly, the backdoor in CCleaner has some similarities to the backdoor in the Asus updater. Combined with the knowledge that Asus was one of the companies targeted by this earlier breach, the researchers at Kaspersky Lab suggest that the CCleaner attack might have been the avenue by which Asus was compromised.
Shadowhammer sits quietly on the vast majority of machines it infects. It’s specifically targeted at a pool of about 600 machines, identified by their network card’s MAC address. We’ve not seen any reporting yet on who was on the target list, but Kaspersky is hosting a service to check whether your MAC is on the list.
While we’re still waiting for the full technical paper, researchers gave a nearly 30 minute presentation about Shadowhammer, embedded below the break along with news about Dragonblood, Amazon listening to your conversations, and the NSA delivering on Ghidra source code. See you after the jump!
WPA3 and Dragonblood
WPA3 is a thing now. It was designed to mitigate the weaknesses of WPA2, barely any devices support it yet, and already a paper with a fancy name has been released detailing its weaknesses. Dragonblood. The authors have identified a Denial of Service weakness and some side-channel key attacks. The two attacks that I find most interesting are a downgrade attack, and a timing attack.
The downgrade attack abuses the built-in support for WPA2, intended for older devices. An attacker is able to launch a man-in-the-middle attack against a client attempting to connect to the network. Even though the protocol detects the attack and aborts the connection, enough information is leaked to enable an offline dictionary attack.
A second attack is a timing attack against one of the password derivation functions of WPA3. By measuring the amount of time taken to run this derivation function, an attacker is able to determine statistical information about the password or key being processed.
The authors also talked about the possibility of using Spectre-style cache attacks to extract more information about a user’s password. A combination of these statistical data sources could give an attacker enough information to derive the user’s password, if it appeared in the attacker’s dictionary. The takeaway is the same as always, pick long passwords that aren’t likely to be found in dictionaries.
I Always Feel Like, Somebody’s Listening Me…
And I Have no Privacy…
In news that can only be described as startling and yet obvious, Amazon send snippets of sound captured by Alexa to contractors and employees, in order to better train their speech-to-text neural network. It’s obvious, because what else could Amazon do when Alexa can’t understand us, but ask humans to listen. It’s also startling to think about all the strange noises Alexa listens in on, from bad singing in the shower, to private conversations not meant for anyone else. Now we know, someone really is listening — maybe.
NSA Makes Good on Open Sourcing Ghidra
You may remember that we talked about the NSA’s newest open source effort, Ghidra. The source code has since been pushed to Github, and pull requests have been rolling in. The usual warnings apply: Make sure you download from a reputable source.
Security is a never-ending task, so we’ll inevitably be back with more. Know of something that we should cover, drop it in our tipline!