Chad's News

The AutoRun feature in Windows is a significant security risk (as illustrated in this Chad’s News post), and Microsoft has finally decided to take action. With the latest Windows Update, there’s an optional update to disable AutoRun in Windows XP and Vista (it is already disabled in Windows 7). Some types of media, such as CDs and DVDs will still use AutoRun, but executable files on most removable media, e.g., USB drives, will no longer be run without the user’s knowledge.

Link: http://www.computerworld.com/…
(via Kim Komando)

The authors at Ksplice are pretty good at digging into the low-level guts of modern computer systems—it’s not too unusual to see them posting assembler code to illustrate a point. In the linked article, they demonstrate how to use a PCI expansion card to hijack a computer in a manner that’s quite hard to detect, and which defies standard methods to recover a compromised system. The malicious hardware gets control of the system at boot time and intercepts the BIOS call that loads the operating system. This gives it the ability to then modify the OS to include an exploit.

For the normal computer user, this is a non-issue. But for those who deal with ultra-classified national security issues, you can never be too careful (maybe that peripheral manufactured in China is not as trustworthy as you think…). The example given in the Ksplice article is more of a proof of concept, because it only works on a single, specific release of the Linux kernel, but it wouldn’t be too difficult to come up with something more versatile.

The linked article is quite technical in nature, so you’ve been warned.

Link: http://blog.ksplice.com/…
(via Slashdot)

Today I received two random emails telling me that my password credentials had been hacked for the Gawker Media sites, including lifehacker.com, a primary source for Chad’s News articles, as well as gawker.com, gizmodo.com, io9.com, jalopnik.com, jezebel.com, kotaku.com, deadspin.com, and fleshbot.com. At first I though this was a rather obvious spam/hack attempt, but after some quick research I learned that the Gawker Media database had indeed been hacked, and that my login credentials (username, email address, and password) have been posted to the web. Since this is a password I use extensively for non-critical logins, I’m going to have to change it for something nearing a hundred web sites. Note that the compromised passwords were encrypted, but that the encryption scheme is fairly easy to break.

Link #1: http://news.softpedia.com/…

Link #2: http://lifehacker.com/…

Adobe has released a new major version of its free Adobe Reader, the program that allows you to view PDF files. A significant new security feature is sandboxing. For those not familiar with the concept, the main program interacts with the outside world (i.e., the operating system) through a second, supervisor program. The supervisor typically just echoes the requests straight to the operating system, but it also ensures that any unauthorized or unsafe requests are denied. So even if a vulnerability is discovered and successfully exploited, the sandbox mechanism will prevent it from doing anything. Note that using the regular Adobe Reader update function will not get you version X—you’ll need to go to the download page and manually start the installation.

Link: http://www.eweek.com/…
(via Kim Komando)

Setting the BIOS password on your laptop may seem like a smart idea, but it turns out that you can easily reverse engineer the password from information displayed by the laptop. The linked article has scripts that will do this for a variety of manufacturers and models. Of course, it’s not that difficult to reset the BIOS password using other methods—my motherboard, for instance, has a jumper that will reset the BIOS settings to their defaults.

Link: http://dogber1.blogspot.com/…
(via Lifehacker)

Did you know that the simple act of plugging a USB thumb drive into your computer will often run (AutoRun) a program that’s on the drive? So an easy way to compromise computers is to put malicious software on some USB drives and scatter them around on the ground. Quite a few people will pick up such a drive and plug it into their computer to see what’s on it.

The recent Stuxnet worm used USB drives to get inside Iranian power plants and infect their control systems. It was designed to work even if AutoRun had been disabled. Just browsing the drive and opening a folder was sufficient to infect the computer.

This type of attack can be prevented by education. Simply put, be very careful about using a USB drive from an unknown or untrusted source. And if you find it laying on the ground in your company’s parking lot, throw it away (or report it to your computer security personnel if such exist).

Link: http://www.slate.com/…
(via The Consumerist)

Microsoft says it’s seeing a huge increase in the number of Java-based security exploits. Many if not all of the attack vectors are known bugs that have been fixed in the current Java Runtime Environment (JRE), but non-power users probably don’t think much about keeping Java updated. So it might be a good idea to install the latest version.

Link: http://arstechnica.com/…

Wi-fi networks have an identifier, known as the SSID. The default setting for many routers is to broadcast the SSID—thus making it easier to find and connect to the network, but most wireless security tutorials recommend disabling the SSID broadcast. Lifehacker, however, suggests this may be more trouble than it’s worth. Any hacker with a minimum amount of knowledge can easily determine the SSID, regardless of whether or not it’s being broadcast.

Link: http://lifehacker.com/…

You don’t have to be a hard-core geek to know how some websites use cookies to identify your computer and track your internet browsing habits. But it’s just too easy to disable and/or delete browser cookies, so the organizations involved have been looking for better methods. The goal is to save information across page visits and browser sessions, and there are quite a few ways to accomplish this. Flash cookies use the local storage capabilities of the Adobe Flash Player. These have given rise to zombie cookies, where a deleted browser cookie is recreated from the Flash cookie. HTML 5 has a client-side database storage capability that makes me wonder just what they were thinking when they developed the standard. And finally there’s the Evercookie, which uses every trick in the book and is quite hard to remove. My favorite is how it encodes the cookie data as an image file, which is stored in the browser’s cache to be later read back and decoded.

Update: Ars Technica tells us that it’s technically possible to kill the Evercookie.

Microsoft released a record-breaking number of security updates on Tuesday, and it sounds like it’s a good idea to run Windows Update if you haven’t already done so.

Link #1: http://www.google.com/…
(via Kim Komando)

Link #2: http://blogs.techrepublic.com.com/…

Given the massive parallel processing power available in today’s video cards, a 7-character password is “hopelessly inadequate,” and even an 8-character password can be cracked in a couple hours. This is regardless of the the mix of letters, numbers, symbols, upper/lower case, etc. So the recommended minimum length for passwords is now 12 characters. But don’t think you’re completely safe with a longer password—you also need to make sure it’s not susceptible to a dictionary attack.

Link #1: http://www.gtri.gatech.edu/…

Link #2: http://www.theregister.co.uk/…
(via engadget)

Link #3: http://dailycaller.com/…

A far-reaching Windows application exploit has been making the news recently, and I’m here to tell you that it’s no big deal if you’re careful.

The core issue is this: when opening an application, Windows has a list of locations that it searches for the various executable library files needed to run the program. For versions of Windows prior to XP SP2, the very first location it searches is the “current” working directory. For XP SP2 and later, the current directory is searched last.

The exploit is simple: a hacker provides a document and, in the same directory as the document, places a malicious library with the same name as a library used by the application that will open the file. When the user double-clicks on the document, Windows will load and execute the malicious library instead of the correct one—because it comes first in the search list. Thus the hacker gets you to run malicious code of his choosing, which is the holy grail of hacking. Obviously this is more difficult in post-XP SP2 versions of Windows, because the current directory is searched last, but the exploit is still possible.

An example of how this could occur would be if you found a flash drive on the ground and plugged it into your computer. Another would be if you downloaded a directory with some movies from the Internet and double-clicked on one to watch it. A third possibility is opening a document over a network, where the other computer has already been hacked. With knowledge of this issue, however, and if you are careful about what files you download and open, this vulnerability becomes manageable.

Unfortunately this is not a Windows bug that can be fixed. It’s a design decision from the early days of PC operating systems, and it’s so deeply embedded in the architecture that it won’t be changed. Doing so would break a great many applications. Microsoft has done what it can to make things safer. They modified the search order, so that the current directory is searched last instead of first. Applications can specify that the current directory not be searched at all. There are hundreds of popular programs that don’t do this, and it’s up to each individual program to enable that setting.

That being said, Microsoft has released a patch that enables you to change how code libraries are loaded on your computer.

Link #1: http://www.infoworld.com/…
(via Kim Komando)

Link #2: http://arstechnica.com/…