Security Bits Logo

Security Bits – Spectre & Meltdown Update (Again), Dark Caracal, chaiOS

Meltdown & Spectre Update

  • Steve Gibson of GRC (author of ShieldsUp & SpinRite) has released InSpectre, a free Windows app which clearly communicates your PC’s current level of protection against Meltdown & Spectre, and what kind of a performance hit you should expect — www.grc.com/…
  • RedHat have withdrawn their microcode patch for Spectre after it caused some systems to become unbootable (Linux supports dynamic updating of CPU microcode without the need for a BIOS update) — www.theregister.co.uk/…
  • A great post on the official Raspberry PI blog that primarily aims to explain why the Raspberry PIs are not vulnerable to Spectre, but in the process, explain Spectre in clearest and most understandable way I’ve yet seen — www.raspberrypi.org/…

Security Medium 1 — Dark Caracal

This story is breaking as we record, so the details are still a bit sketchy.

A security research firm, Lookout Security, in conjunction with the EFF, have released a report on their investigation into a hacking group they have dubbed Dark Caracal. The report can be downloaded for free: www.lookout.com/…

The malware deployed by this team is not particularly sophisticated — it uses known vulnerabilities and is delivered via Spear Phishing. Attacks have used malware for many OSes including Windows and MacOS, but the vast bulk of the malware used in these attacks has been for Android phones. The attackers used these tools and techniques to spy on thousands of carefully chosen targets in 21 different countries.

What makes this series of attacks significant is that the malware is sending all the data to servers in a building belonging to the Lebanese government! Even more interestingly, the researchers believe this is not simply an internal Lebanese government program, but a new spyware-as-a-service offering available to other governments, including those who would not have the resources to develop their own such tools.

Links

Security Medium 2 — chaiOS

An extremely annoying iOS & macOS text bomb is doing the rounds. A bug has been found in the way Apple’s Messages app processes messages. The bug allows attackers to crash a victim’s devices simply by sending them a message that contains a link to an intentionally malformed web page. The recipient doesn’t even have to open the message to get hit by this, as soon as the OS tries to read the message and generate its preview, it runs into problems.

According to reporting, the only way to recover from receiving a message like this on an iOS devices is to do a factory restore, destroying all your local data that is not in the cloud.

This is a denial-of-service problem, not an exploitation problem, so while it’s not a catastrophe, it still have the potential to do harm, and, at the very least, to be very darned annoying!

Thankfully the bug was already patched in the latest iOS 11 beta, and Apple have promised to get the patch released to general public next week.

The immediate danger has also been somewhat lessened with a take-down of the website that was hosting the attack link, and the removal of the GitHub account that was hosting the source code for the malicious website. However, the code was public on GitHub for some time, so it seems unlikely no one has a copy.

Links

Notable Security Updates

  • Patch Tuesday has been and gone, and Adobe released a critical security update for Flash — helpx.adobe.com/…

Notable News

  • The WiFi Alliance have announced that they will be releasing WPA3 later in 2018 (Editorial: I share Steve Gibson’s concern that this is yet another vitally important security specification developed in complete secrecy and isolation by the WiFi Alliance. This is the same approach that was used by the WiFi Alliance to develop the catastrophically flawed WEP and WPS standards.) — www.macobserver.com/…, nakedsecurity.sophos.com/… & tidbits.com/…
  • 🇺🇸 Well-known electronic toy manufacturer VTech has settled for $650,000 with the US FTC over alleged violations of child privacy protections enshrined in COPPA (a US law) following a high-profile data breach in 2015 — www.theverge.com/… & nakedsecurity.sophos.com/…
  • macOS hit with another embarrassing password bug — you can unlock the App Store preference pane with any password. A fix is already included in the latest beta, so it will be out soon, and this bug requires the attacker already be logged in to your computer, and even then, it doesn’t give them much power. So, no reason to panic, but it sure looks like Apple’s QA could do with some TLC! — www.macrumors.com/… & www.imore.com/…
  • The latest preview version of Skype moves the app over to the open-source Signal protocol, providing cryptographically secure end-to-end encryption — arstechnica.com/…
  • Security researcher have found a flaw in how WhatsApp administers group chats, but thankfully, it can’t be practically exploited, so while it does need fixing, there’s no need to panic — www.imore.com/…
  • Apple have updated their excellent iOS 11 Security Guide, adding information and guidance regarding new features like FaceID and Apple Pay Cash and more — www.imore.com/…

Suggested Reading

3 thoughts on “Security Bits – Spectre & Meltdown Update (Again), Dark Caracal, chaiOS

  1. sTim - January 22, 2018

    Which product was the one that you said was about $5 and was good for RFID blocking? I remember you said one you were probably going to order just to be safe, but I forget which one!

  2. Allison Sheridan - January 27, 2018

    I asked Bart and he doesn’t remember but he also doesn’t have it yet.

  3. Allison Sheridan - January 27, 2018

    sTim – he found it: http://amzn.to/2DKbrZD. That’s in the Amazon UK store btw. It’s called “RFID/NFC Blocking Card by ATTENUO”

Leave a Reply

Your email address will not be published.

Scroll to top