Major Security Flaw Discovered In Intel Processors

There’s some bad news if you own a computer driven by an Intel processor. Recently, a dangerous, catastrophic security flaw has been discovered in Intel’s X86-64 architecture that allows hackers to access the kernel, which sits at the heart of your OS. By accessing the kernel, a hacker can gain access to virtually everything on the targeted machine.

This is accomplished by way of a little-known feature called “speculative execution” which allows the processor to perform operations before it’s received definitive instructions that they need to be done. It’s a way of milking more speed out of the system.

Unfortunately, any such system runs the risk of giving programs permission to execute that, under normal circumstances, would not get permission. For example, a hacker could exploit this time-saving trick to force a piece of malware that Windows Defender (or related programs designed to safeguard your system) would otherwise catch and keep from running.

The truly terrifying part about this newly discovered exploit is its scope and scale. Intel chips are found in the majority of PCs and laptops being sold today, and this exploit has been sitting undiscovered until now, in every chip the company has made over the last ten years.

So far, Google researchers have identified two distinct attacks that could be used to exploit the flaw, dubbed “Meltdown” and “Spectre,” both being every bit as bad as they sound, and both capable of giving a hacker complete control over a target system. Fortunately, there have been no reported instances of either being used in the wild…yet.

The company is aware of the problem, and although they are playing things close to the vest, a fix is already in the works. Unfortunately, there’s a drawback. In order to implement the fix, it’s going to require a huge restructuring. This will likely eliminate the “speculative execution” feature, which is going to notably slow systems down. Early estimates are that when the fix is rolled out, you’ll see your system’s performance degraded by between 17-23%.

If there’s a silver lining in all this, if you happen to own a machine built around an AMD processor, give yourself a pat on the back. They don’t contain the flaw.

Vertical Video Support On YouTube For iOS Finally Here

The owners of Android devices have been able to properly view vertical videos for more than two years, but for Apple users, it was a different story.

Instead of getting the traditional full-screen experience when viewing vertical videos, Apple users were saddled with annoying vertical bars that would appear on either side of the video itself. It’s a small thing, but undeniably annoying. Now, at long last, the problem has been solved and now Apple users can enjoy the same vertical, full-screen experience as the rest of us.

YouTube announced the upgrade in a tweet that read as follows:

“Bye-bye, black bars. Now the YouTube player on iOS will automatically adapt to the shape of the video you’re viewing!”

It matters because smartphones were designed to be held in that position, so it’s the natural way to interact with the device, no matter what you’re doing with it, including watching videos.

There’s one caveat, however: A surprising number of vertical videos won’t go full screen because they’ve actually been encoded with black bars on the sides, which technically makes them landscape vids that are only mimicking the appearance of a vertical video.

Now that YouTube has made this change, over time, you’ll probably see fewer and fewer videos shot like this and uploaded. In the short to medium term, don’t be the least bit surprised if you run into videos shot like this on a regular basis.

Why it took the company so long to update the Apple version of their app with this functionality, no one knows, but it’s not hard to hazard a few guesses. In any event, it’s not something that’s likely to have a major impact on your life, but it is a welcome change and we were happy to see it.

Select HP Laptop Models Recalled Over Battery Issue

Did you purchase an HP laptop between December of 2015 and December of 2017? If so, then you may have problems.

The US Consumer Product Safety Commission has been made aware of eight instances where HP battery packs overheated, charred, or melted, creating a worrisome fire hazard that has gotten the attention of user groups scattered all over the internet.

It also got the attention of HP itself, and the company recently announced “a worldwide voluntary safety recall and replacement program” for laptops shipped during the timeframe mentioned above.

If you own one of the following models, you may be impacted:

  • HP ProBook 640 G2
  • HP ProBook 645 G2
  • HP ProBook 650 G2
  • HP ProBook 655 G2
  • HP ProBook 640 G3
  • HP ProBook 645 G3
  • HP ProBook 650 G3
  • HP ProBook 655 G3
  • HP ZBook 17 G3
  • HP ZBook Studio G3
  • HP ZBook 17 G4
  • HP x360 310 G2
  • HP Pavillion x360
  • HP ENVY m6
  • Or the HP 11 Notebook PC

You can visit HP’s website and download a tool you can use to test your laptop to see if it has one of the defective battery packs. A BIOS update is also available that will safely and completely discharge the battery. Although of course, until you get a replacement, you’ll only be able to power your laptop via the AC power supply.

According to the company, “Many of these batteries are internal to the system, which means they are not customer replaceable. HP is providing battery replacement services by an authorized technician at no cost.”

While it’s a nice gesture, it would be even better if the company hadn’t shipped the defective batteries in the first place and caused a major inconvenience to its customers. This most recent recall comes on the heels of another one less than a year ago, in which the company recalled more than 100,000 similarly defective laptops at the end of January, 2017.

New Wifi Standard WPA3 May Be Coming

Remember the KRACK WiFi (WPA2) vulnerability, discovered by Mathy Vanhoef? It turns out that his discovery was a catalyst for action. Recently, the WiFi Alliance, which is the industry’s standards organization, released details about its new WPA3 protocol.

Here’s a quick rundown of the changes you can expect to see in the months ahead:

  • Enhancements in encryption capabilities – The new protocol will enable encrypted connections between connected devices and the router/access point, and the cryptographic standard has been improved. According to the WiFi Alliance, it will be “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, which will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial.”
  • The ability to configure one WiFi enabled device to configure other devices on the network – As an example, you’ll now be able to configure a network-connected smart device that doesn’t have a display screen from your smartphone or PC connected to the same network.
  • More protection – In addition to offering more robust encryption, the new standard will also offer enhanced protection against brute force attacks by halting the WiFi authentication process after some number of failed login attempts. This mirrors the functionality found on many web-based authentication systems.

All of these are welcome changes indeed, but despite relatively quick action on the part of the WiFi Alliance, it will still be several months before consumers are able to purchase devices that offer WPA3 support.

Mathy Vanhoef, the researcher who brought the KRACK attack to the world’s attention, had this to say about the recent announcement:

“The standards behind WPA3 already existed for a while, but now, devices are required to support them. Otherwise, they won’t receive the WPA3-Certified label. Linux’s open source Wi-Fi client and access point already support the improved handshake, it just isn’t used in practice. But hopefully, that will change now.”

This is good news indeed, and will help make wireless networks more secure. Kudos to Mathy Vanhoef for his discovery, and for spurring the industry into action.

Electronic Device Search Rules Better Defined By US Customs

There’s a constant tug of war playing out on the national stage. On one side, privacy advocates are pushing for greater autonomy for end users, and hard limits to the types of searches that law enforcement agencies are allowed to conduct.

On the other side are the government agencies themselves, which often cite national security concerns as the justification for more and easier access to the sensitive data contained on personal devices like laptops and smartphones.

Generally speaking, the privacy advocates lose those battles. This was the case recently, when the CBP (the US Customs and Border Protection agency) published their latest electronic search guidelines. The most significant change is that the new guidelines explicitly define the difference between basic and advanced searches.

CBP agents are authorized to choose any travel, with or without cause or suspicion, for basic searches. Under the clarified rules, a basic search is limited to an examination of data found on the device itself, which is accessible through already installed apps, or through the device’s OS.

Advanced searches may be conducted, but agents must demonstrate that there’s a reasonable suspicion of criminal activity, or that the person carrying the device represents a “national security concern.”

The individual singled out for an advanced search may be permitted to be present while the search is conducted, but are not permitted to view the actual search itself for fear of revealing law enforcement techniques. Of significance, even during the conduct of an advanced search, agents are not permitted to search cloud-based data. They are restricted to data stored on the device itself.

While none of this sounds especially heavy-handed, the biggest complaint privacy advocates have about the updated rules is the fact that border agents can, at their own discretion, still carry out warrantless searches without any judicial oversight whatsoever.

Although this may not impact you directly, it pays to be mindful of the recent changes.

Vulnerabilities Found In Some GPS Services

A duo of researchers stumbled across a series of vulnerabilities in literally hundreds of GPS services that leave sensitive GPS tracking data open to hackers. Dubbed “Trackmageddon” by the researchers, the vulnerabilities span a range of weaknesses that include default or easy-to-guess passwords, IDOR (Insecure Direct Object Reference) issues, insecure API endpoints, and data collection folders that are entirely unsecured.

The reason so many different tracking services are impacted is that most of them rely on the same online software to deliver their services, and that software (believed to be designed by ThinkRace, one of the largest vendors of GPS tracking devices) itself is flawed. As more and more companies license it, the issues spread, exposing the data of an increasing number of customers who are entirely in the dark about how vulnerable their location data is.

The researchers have made attempts to contact the vendors offering GPS tracking services with vulnerabilities, but so far, have met with only limited success. According to their report:

“We tried to give the vendors enough time to fix (also respond for that matter) while we weighed this against the current immediate risk of the users.

We understand that only a vendor fix can remove a user’s location history (and any other stored user data for that matter) from the still affected services, but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices, much higher than the risk of historic data being exposed.”

As to the types of data being exposed, it includes: GPS coordinates, phone numbers, IMEI numbers, device information, and depending on which online service is being used, a hacker could even gain access to audio, video, and photos uploaded by the device being used.

While extremely convenient, these services do carry significant risks. Use them at your own risk.

Backdoor In Certain Lenovo Switches Discovered

Does your company utilize either RackSwitch or BladeCenter networking switches? Are those switches running ENOS (the Enterprise Network Operating System)? If so, there’s a backdoor in your network you weren’t aware of. Even worse, it’s been there since 2004.

Engineers at Lenovo recently discovered the backdoor in the firmware when they conducted an internal security audit. These products were added to the company’s portfolio via acquisition from Nortel, and Lenovo only just became aware of their existence.

A spokesman for the company had this to say: “The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”

Updates are available on Lenovo’s website, and links to the updates are available inside the company’s security advisory on this topic.

It should be noted that this backdoor would be relatively difficult for a would-be hacker to exploit, because it’s not a hidden account whose password could be guessed at or cracked via brute force, but rather an authentication bypass mechanism that requires a strict set of conditions to trigger. Lenovo describes the various configurations of security settings that activate the backdoor in their security advisory.

In any case, the presence of a backdoor into your network (even one that’s hard to trigger and access) isn’t something to be taken lightly. If you’re able, grab the firmware updates from Lenovo at your next opportunity and seal the breach. If that is impractical for some reason, Lenovo has spelled out a few mitigation strategies your company can apply as a stop gap, until you can get the firmware updates in place.

Kudos to Lenovo from their swift, deft handling of the issue!

Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.

Inappropriate Ads Found In Some Game Apps for Kids

Normally, Google’s robust series of checks and audits are pretty good at catching malicious code and preventing it from making its way to the Play Store. Sometimes, however, something slips through anyway despite the company’s best efforts. This latest one is particularly bad.

Researchers from Check Point have identified a new strain of malware called “AdultSwine” lurking in more than sixty gaming apps on the Play Store. Each of these apps has been downloaded between 3 million and 7 million times, which gives us approximately 150 million infected devices.

As the name suggests, the malware primarily displays ads from the web that are of an adult nature, and often overtly pornographic. It also attempts to trick unsuspecting users into installing additional malware that masquerades as “security apps.”

An analysis of the code reveals it to be highly flexible, allowing the authors to easily begin collecting all kinds of information about the owner of any infected device. This makes identity theft a real possibility if the hackers were inclined to do so.

The most disturbing element of all this is that the malware seems heavily focused on apps and games designed for children. So if you’re a parent, it pays to check the apps that are installed on your child’s phone. What seems at first glance to be a harmless game could actually be displaying pornographic advertising while they’re playing.

The Check Point researchers had this to say about the discovery:

“Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept. Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.”

Just to be safe, double check the apps on your child’s phone!

Intel Chips Face Another Possible Vulnerability

Intel’s year isn’t getting off to a very good start. Just after the discovery of a pair of critical vulnerabilities that have been in their chipsets for more than a decade comes the discovery of yet another serious flaw that could impact millions of laptops around the world.

A Finnish data security firm called “F-Secure” just reported an issue with Intel’s Active Management Technology (AMT) that could allow a hacker to completely bypass the machine’s normal login procedure and take control of the target device in under a minute.

AMT is an admin-level feature that allows organizations to control and manage large numbers of PCs and workstations quickly and efficiently via remote. To take advantage of the flaw, a hacker would need physical access to the machine, which is its one saving grace. However, if they have that, they can take complete control even if a BIOS password has been set.

While other research teams have discovered AMT vulnerabilities in the past, this one deserves special attention for three reasons:

  • Once in control, the hacker could gain remote access to whatever network the machine is attached to at some later point.
  • It affects almost all intel laptops, and odds are that if you’re a business owner, there are a number of laptops with Intel chipsets connected to your network
  • It’s an incredibly easy flaw to exploit, requiring no code whatsoever.

F-Security Research Harry Sintonen had this to say about it:

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

It should be noted that this flaw is in no way related to the Spectre and Meltdown vulnerabilities that have been reported on earlier, giving Intel a trio of nasty problems to deal with right at the start of the new year.