AMD security flaw saga, browsers broken, Lamo dead at 37, and more

It's the week in security

Roundup The lingering fallout of security flaws in AMD processor chipsets has dominated the news this week, and it ain't over yet.

The initial flaw disclosure on Tuesday was short on details and high on hype, and some thought that either the issue was massively overhyped or was being used to try and manipulate AMD's stock price. The situation wasn't helped by CTS Labs, which first raised the issue, remaining quiet.

That changed, when its CTO Ilia Luk-Zilberman issued an open letter on the matter. He defended the disclosure of the flaws and the decision to give AMD less than 24 hours' notice about the issue, saying he did not agree with the current responsible disclosure practice of giving a manufacturer days or weeks to prepare a patch before disclosing.

"I think that a better way, would be to notify the public on day zero that there are vulnerabilities and what is the impact," he wrote.

"To notify the public and the vendor together. And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk."

That's as maybe, but the company hasn't exactly covered itself in glory over the affair, particularly as an attacker would already have to have admin-level access to a PC for them to work.

These bugs will, however, be adopted by malware writers to make sure that once any nasty code gets on to a system it'll be an absolute bugger to remove. Thanks guys.

Lotto shock-o

On Friday, the UK National Lottery alerted its gamblers to change their passwords after miscreants were able to log into a small number of player accounts – about 150, we're told. The scumbags used usernames and passwords leaked from other websites, which players had reused for online lotto profiles.

"We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or the payment of prizes," lottery operator Camelot said.

It is understood the accounts were likely broken into as a result of credential stuffing.

Browsers take a beating

The annual CanSecWest security conference has been going on in Vancouver and that means the top browsers and operating systems took a hammering in the Pwn2Own hacking competition.

The competition is simple, hackers try and break stuff, they get cash prizes if they do so and in exchange manufacturers get the flaws they used and we all end up hopefully safer. This year $267,000 was paid out and almost every target was cracked.

Richard Zhu bagged $70,000 for an elegant takedown of Microsoft's Edge browser, albeit on the third attempt. Oracle VirtualBox also fell - with a prize of $27,000 - while a three-bug attack took down Apple's Safari browser and earned the hacker $60,000 and a free laptop.

Zhu was back the next day and had more success against Mozilla's Firefox browser, earning another $50,000. Another attempt on Safari was successful, but outside the time limit and so didn't get a cash award, but the next team was successful and bagged $50,000 to share amongst themselves.

This year's competition was smaller than expected. This was in part due to some teams not being able to get their attack code working, but also because there weren't any Chinese teams taking part. The Middle Kingdom has decided to keep its exploits to itself, and that's also proved to be true for vulnerability disclosures.

Malware madness

Of course, there was plenty of new malware bubbling under this week, and a particularly nasty Android botnet.

Android malware is nothing new, but the creators of the RottenSys code pulled off something quite remarkable with a sneaky and pernicious piece of malware that infected over five million mobile devices in China.

The malware hid in an innocuous-looking Wi-Fi app and spammed the user with adverts constantly. It also proved very hard to get rid of and the security firm Check Point that found it estimated the creators were netting around $115,000 every 10 days from the code, which had been operating for months.

Meanwhile, across the border in Russia, Microsoft found a major botnet operating in the Land of the Eternal Putin. Smoke Loader infected hundreds of thousands of Russians who were using a poisoned peer-to-peer app as an attack vector. The message – don't be a freetard and stop pirating.

Git blame

GitHub has also had a bad week of it. Not only does the site have a potential looming copyright headache with the EU but it was also found to be hosting some nasty Windows malware.

Researchers at Securi found the repository, which was hiding LokiBot, an email credential harvesting nasty. Sticking it on GitHub meant any machine could be redirected to download it once they had been tricked into thinking they were getting Adobe's Flash.

While it's an old tactic the "download Flash" screen should be on its way out. Not only is the software a security nightmare but it's being retired in less than two years. Part of me would like to see Adobe take it round the back and shoot it now.

Also, according to Avast, miscreants are uploading Monero mining code to forked projects on GitHub.

RIP Adrian Lamo

As we were going to press the news came down that former hacker Adrian Lamo has died at the age of 37.

"With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son..." his father wrote in a post on Hacker 2600's Facebook page on Friday.

Lamo shot to fame at the turn of the century and was initially praised after he found holes and worked with companies to fix them. Worldcom got a lot of help from Lamo, and other firms did well too, but the pull of the dark side was too strong it seems.

In 2002 he hacked the New York Times and added his name to the staff, and ran up thousands of dollars in bills using the paper's Lexis-Nexis accounts. He pleaded guilty and got six months house arrest and probation.

He claimed to have given up hacking after that, and certainly never got caught. But he was active online and began chatting with a soldier in Iraq known today as Chelsea Manning. Lamo befriended Manning, who confided in him that she had been vacuuming up US army intelligence cables – that showed that the Green Machine was up to some questionable practices – and was sending it to WikiLeaks.

Lamo tipped off the FBI, alerting the g-men to what was going on. Manning was arrested, tortured, and sent down for 35 years, although the sentence was commuted by President Obama. The affair left Lamo's name as mud with large sections of the hacker community, who saw him as a snitch.

He had been suffering from mental health issues. No details have been given of his death in Kansas, but it's a tragic end for someone who showed so much potential. ®




Biting the hand that feeds IT © 1998–2018