Snooping passwords from literally hot keys, China's AK-47 laser, malware, and more
Your two-minute guide to the week's infosec bits
Roundup The week surrounding America's "Huzzah, we kicked out the Brits, and will now spell color any way we like" Day, on July 4, is traditionally one of the slowest periods in the annual business tech news cycle.
IT security, on the other hand, never rests. We've covered Google cracking down on non-HTTPS sites, Fortnite cheats getting pwned by malware, a fascinating interview with plane hacker Chris Roberts, and even a new (and poorly written) computer crime novel cowritten by Bill Clinton.
But there were other stories bubbling under, so here's the best of the rest.
Time to get patching Ubuntu
Canonical has issued a rash of new security patches for its Ubuntu GNU/Linux distribution – updates that should be installed as soon as possible.
Not all of these fixes are alike. If you're running a system with an AMD processor, one patch removes an earlier update that was supposed to address the Spectre CPU vulnerability. That microcode-level mitigation left some AMD-powered systems unable to boot, and now has been given the boot from Ubuntu Linux computers.
There's also a security update for Firefox packages, following critical fixes from Mozilla. Ubuntu's handling of PHP, Devscripts, and Archive Zip have also been given some secure code lovin'.
Regarding the Firefox updates, the security fixes were publicly issued by the browser's maker Mozilla on June 25 and 26, however, they are only now making their way to Ubuntu users. Other Linux flavors, such as Debian, pushed out the Firefox security update days earlier to users.
We asked Canonical why the week-long hold up, and a spokesperson told us the Ubuntu team was "waiting for the point release from Mozilla before pushing out updates." The Firefox snap is kept "up to date so users can install that if they want to run the latest version."
Still, the delay irritated some as it meant people were left running vulnerable software while miscreants potentially developed exploits for the disclosed bugs.
Infosec consultant Stephan Verbücheln, based in Switzerland, told us earlier this week before Ubuntu updated its Firefox packages: "Despite this version fixing several security issues with critical risk, Ubuntu has still not updated the version in their repositories. There is no reason to assume that Ubuntu staff was overwhelmed by a sudden Mozilla release."
In any case, if you use Firefox, get the latest updates.
Beware the Therminator
No, not Arnie with a lisp, but instead an interesting bit of research into side-channel data-leaking techniques.
Boffins at the University of California Irvine has been doing some interesting work [PDF] into thermal imaging and passwords. Humans run quite hot thanks to our mammalian status, and it turns out warm fingerprints left on key tops after typing in a password can be observed to snatch one's login credentials.
You might think that the poor thermal conductivity of the average keyboard was negligible, but it turns out a heat-sensing camera can spot keystrokes up to 45 seconds after the keys are pressed. It's a canny bit of research that led the eggheads to postulate that we should consider dumping passwords altogether for a better system.
It's a cute surveillance technique, but one can't help wondering about its practicality. After all, if you have the kind of access to a target that allows this kind of thermal imaging then why not just use a plain old camera to watch typed passwords, install a keylogger, or just look over their shoulder.
- On July 11, the US Senate committee for commerce, science and transportation will hold a hearing on the data-leaking Spectre and Meltdown CPU flaws.
- Microsoft security researcher Matt Oh has taken apart a malware-laced PDF, reverse-engineering it to great and fascinating detail. Code within the document exploits, now fixed, bugs in Windows and Adobe Acrobat to hijack the machine when opened.
- Watch out for this macOS software nasty: OSX.Dummy, which is installed by marks if they are tricked into running a command in Terminal that downloads and runs the thing. The malware opens a backdoor, and makes a note of the Mac's root password.
- We hope you've patched your HP iLO 4 server firmware for CVE-2017-12542, released in August 2017, because research and proof-of-concept exploit code is now floating around. The flaw can be abused to bypass authentication, and execute malicious code remotely. It can be as simple as sending 29 characters in a Curl request.
- Microsoft's Windows 7 Defender has started receiving malware updates again after a week's hiatus.
Portly piracy suspect is pissed off
The continuing saga of Kim Dotcom opened another chapter when the former owner of one of the most notorious file-sharing websites, Mega Upload, lost his appeal against extradition.
The New Zealand courts ruled against Dotcom's appeal against a verdict that would see him shipped off to the US to face charges of copyright infringement and fraud. His team has promised to appeal again to the country's Supreme Court.
There had been earlier signs of hope for Dotcom, after a court ruling that he couldn’t be extradited for copyright infringement as the crimes occurred outside of New Zealand's jurisdiction. But it was the fraud allegations that stuck.
Old dog, new tricks
One of the oldest families of malware, Rakhni, has received an upgrade.
The code has traditionally been used as a trojan to provide backdoor access to infected Windows PCs. Once installed, it can be used to scoop passwords and login details, but apparently that's no longer enough, according to Kaspersky Lab.
Now the code's masterminds have seen fit to add cryptocurrency-mining code into the software nasty. It's adding insult to injury – first it steals your data, then your CPU cycles.
China perfects laser rifle
Something for the Flash Gordon fans: it seems that the Chinese have developed a laser rifle that actually works.
According to reports the compact, if rather ugly, rifle is dubbed the ZKZM-500 and has a range of half a mile. It can burn through clothing in seconds, burn bare skin, and ignite petrol tanks on cars. It's now ready for mass production, and will be coming to counter-terrorism squads in the Middle Kingdom.
Given that America is already worried about laser weapons being used by the Chinese military against its forces, this new weapon could spark a new, light-based arms race.
Move over Nigeria, Botswana's in town
When you think African computer crime, Nigeria is the first place that comes to mind, thanks to numerous princes of the locale trying to snatch people money.
But there's a new kid on the block, according to police in the southern African state of Botswana. In the last few months, the nation's cops have been deluged with complaints from businesses far and wide that are getting ripped off online by miscreants within the country.
There's the traditional business invoice scams, but also fraudulent suppliers dropping off the radar once the money for orders has been sent, and even some enterprising scumbags using fake Facebook accounts to further aid scamming. ®
Sponsored: Becoming a Pragmatic Security Leader