Hardware, Malware, Security

USB firmware hacks published

Leave a comment

We recently reported a new potential security threat in the form of hacked USB device firmware.

The details of the original hack were not reported by its discoverers, since it seemed likely that the vulnerability was widespread and difficult to fix.

Now a second team of researchers has published working code for a similar hack. Reactions have been mixed, with some categorizing this move as irresponsible.

This is probably going to get a lot worse before it gets better. There’s currently no way to detect whether a USB device has been hacked. Traditional anti-malware software is useless for this purpose.

Hopefully you were already exercising caution when using thumb drives, viewing drives from unknown sources with suspicion. With this new vulnerability, there’s probably no way to be perfectly safe unless you stop using thumb drives completely. Since that’s not practical for many users, you can stay relatively safe by making sure that your thumb drives are always on your person or stored in a secure location when not in use. So much for convenience.

Microsoft, Windows 10

Windows 10 Technical Preview

Leave a comment

Anyone interested in looking at an early version of Windows 10 can sign up to the ‘Windows Insider Program’ at preview.windows.com. Signing up is free, but you are encouraged to think of this software in terms of short term testing only.

The accompanying preview document (ed: no longer available) describes some important features of the upcoming O/S, including the new Start menu, window snapping and multiple desktops. Interestingly, it also steers clear of calling the next version ‘Windows 10’.

Microsoft, Windows

Windows 8 fading, XP and 7 still going strong

Leave a comment

Microsoft’s recent announcements about Windows 9 10 may have been the death knell for Windows 8. It seems people are happy to wait for the next Windows or switch to Windows 7 rather than take on the task of learning a user interface better suited to mobile phones than desktop computers.

According to the latest stats posted by Ars Technica, Windows 8 sales slipped slightly in the last month, while Windows 7 sales increased and Windows XP held steady.

Microsoft, Windows 10

Windows 9 is Windows 10

Leave a comment

Microsoft has a long history of naming things strangely, and they’re showing no signs of stopping. Despite it being a) logical; and b) already announced, “Windows 9” will not be the name of the next version of Windows. No, it will be “Windows 10”, because 10 is better than 9.

That aside, Windows 9 10 is apparently going to be a lot like Windows 7, at least according to some early prototype reviewers.

On a positive note, it looks like Microsoft is finally starting to realize that they can make users really happy by fixing things that should have worked properly in Windows 95. A good example of this is the file copy/move dialog in Windows 8.x, which is vastly better than in any previous version of Windows. And now the creaky old command window is finally going to be improved in Windows 10.

Update 2014Oct02: According to some sources, the reason ’10’ was chosen over ‘9’ is that a lot of software currently includes code that determines whether a computer is running Windows 95 and 98 by looking at the Windows version and comparing it to “Windows 9”. However, while such code does exist, this is not the recommended method for determining Windows version. If Microsoft is going to make decisions like this based on sloppy, ancient coding practices, we’re in serious trouble.

*nix, Hardware, Internet, Linux, Mac, Patches and updates, Security

Shellshock: a very bad vulnerability in a very common *nix tool

Leave a comment

Linux and other flavours of the Unix operating system (aka *nix) run about half of the world’s web servers. Increasingly, *nix also runs on Internet-enabled hardware, including routers and modems. A huge proportion of these systems also have BASH configured as the default command interpreter (aka shell).

A serious vulnerability in BASH was recently discovered. The full extent of the danger related to this vulnerability has yet to be determined, because the bug opens up a world of possible exploits. As an example, the bug can be demonstrated by issuing a specially-crafted request to a vulnerable web server that results in that server pinging another computer.

Patches that address the vulnerability (at least partially) became available almost immediately for most Linux flavours. Apple’s OS X has yet to see a patch, but presumably that will change soon, although Apple has been oddly slow to respond to issues like this in the past.

Most average users don’t need to worry about this bug, but if you run a web server, or any server that’s accessible from the Internet, you should make sure your version of BASH is updated.

As new information emerges, I’ll post updates here.

References:

Update 2014Sep27: The first patch for BASH didn’t fix the problem completely, but another patch that does is now available for *nix systems. Still nothing from Apple for OS X. Scans show that there are thousands of vulnerable web servers on the Internet. Existing malware is being modified to take advantage of this new vulnerability. Attacks using the BASH vulnerability are already being observed. Posts from Ars Technica, Krebs on Security and SANS have additional details.

Update #2: It looks like there are more holes to be patched in BASH.

Update 2014Oct01: Apple releases a bash fix for OS X, more vulnerabilities are discovered, and either attacks based on bash vulnerabilities are increasing or attacks are subsiding, depending on who you ask.

Update 2014Oct08: Windows isn’t affected, unless you’re using Cygwin with bash. Oddly, Apple’s OS X bash patch is not available via the App Store; you have to obtain it from the main Apple downloads site. A security researcher claims to have found evidence of a new botnet that uses the Shellshock exploit.

Update 2014Oct23: Ars Technica: Fallout of Shellshock far from over

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.