TSMC chip fab tools hit by virus, payment biz BGP hijacked, CCleaner gets weird – and more

What else is gong on in infosec this week...

Woman pays for something online with her credit card. Photo by Shutterstock

Roundup This week we took a close look at Google security keys, bid adieu to Facebook's head security honcho, and had a few email credentials overshared by Atlassian.

Here's everything else that happened in infosec land this week beyond what we've already reported.

TSMC chip assembly line computers infected

Chipmaker TSMC – which supplies components for Apple, AMD, Nvidia, Qualcomm, Broadcom, and others – said its semiconductor fab tools were downed by a virus.

The malware hit the Taiwanese manufacturing giant's systems on Friday night, and some plants remain infected at time of writing while others have been restored to operation. It is not believed to be the result of an intrusion by one or more hackers – it sounds as though a staffer accidentally ran some kind of software nasty, and pwned computers on the network.

"Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day," the biz told the media on Saturday.

Remember the 70,000-odd Mikrotik routers hacked to mine cryptocoins? Well, make that more than 200,000 now.

Linux's leaky timer bug: Countdown to patching

A researcher has detailed a bug in the Linux kernel that can be exploited to leak sensitive data – such as cryptographic keys and passwords – from protected kernel memory, much in the same way as the Spectre and Meltdown processor design vulnerabilities. Interestingly, it took months for the fix to wind its way into Linux distributions, if at all.

Andrey Konovalov spelled out the situation to the Full Disclosure list this week: the programming blunder (CVE-2017-18344) was introduced way back in kernel version 3.10, and is due to a buggy show_timer() function. This code can be potentially abused by a malicious application to read memory it should not be about to snoop on.

"This allows to access kernel memory and leak keys, credentials or other sensitive information that is stored there (so the bug has a similar impact to Meltdown)," Konovalov explained.

The flaw is present in kernels version pre-4.14.8, and was fixed in version 4.15-rc4 in late December. The patch has since been backdated to the version 4.4 stable branch. Make sure you're not running a vulnerable build as Konovalov said he will be releasing a proof-of-concept exploit some time next week.

Essentially, although the vulnerability has been known about for eight months, a CVE was only assigned late last month, and some Linux distributions are still shipping vulnerable kernels. Canonical, at least, pulled in the patch in Ubuntu 16.04.

"In this particular case of a somewhat 'scary' bug there was a window of 3.5 months between the bug being reported and the fixing commit reaching the Ubuntu Xenial 4.4 kernel branch," Konovalov noted.

"This gives some insight into how much time it usually takes for a fix to travel from upstream through stable into a distro kernel when there's no CVE. Compared to the 14 days that distros are usually given to fix a security bug reported through linux-distros@, that seems rather long."

Hack, hack, hack, hack, hackin' car high school

Long known as America's hub for autos, Michigan is once again looking to get to the forefront of the industry, this time through security.

Governor Rick Snyder has set forth plans for a new set of high school curricula aimed at teaching students skills they can use to design car security systems of the future.

Dubbed "Masters of Mobility: Cyber Security on the Road," the new education push will aim to train teachers who will in turn lead classes on the basics of cybersecurity and software development for automobiles. The aim is to help the state regain its clout in the industry by offering a bumper crop of security research talent that specializes in the automotive field.

The program will begin as a pilot with two Michigan schools in the Fall and, if successful, will roll out to nine more schools next year.

Homeland Security gets into Risk Management

The US Department of Homeland Security is stepping up its efforts to better manage the various IT security projects being undertaken by its various agencies. Earlier this week, the DHS announced the creation of something called the National Risk Management Center. The office will apparently be tasked with overseeing cyber security projects and coordinating risk management studies.

The cybersecurity nerve center will also set the priorities for securing critical government functions and help sync up joint efforts between agencies and the private business sector.

"The National Risk Management Center advances the ongoing work of DHS and government and private sector partners to move collaborative efforts beyond information sharing and develop a common understanding of risk and joint action plans to ensure our nation’s most critical services and functions continue uninterrupted in a constantly evolving threat environment," the DHS said of the new program.

"The Center will work closely with the National Cybersecurity and Communications Integration Center (NCCIC), which will remain DHS’s central hub for cyber operations focused on threat indicator sharing, technical analysis and assessment services, and incident response."

CCleaner tries to explain shady behavior

Piriform, the developer of bloatware-cleaning tool CCleaner, is on the defensive after users spotted the version 5.45 of the app monitoring their activity without consent. Netizens noted that even when they turned off Active Monitoring in the app CCleaner continued to collect some data about what they were doing, and phoned it home to the developers' servers. This led some to question whether turning off Active Monitoring really did anything.

As it turns out, Active Monitoring itself is switched off when you disabled it, but that doesn't stop other telemetry from being beamed back to base.

Piriform said that even when its Active Monitoring tool is turned off, it will still collect, for its own internal analytics, some anonymized information, such as the installed version, which features have been used, and details useful for hunting bugs. The developer, though vague on exactly what is slurped, assured users that the snooping was nothing to be afraid of.

"The information which is collected through these new features is aggregated, anonymous data and only allows us to spot trends," Piriform explained. "This is very helpful to us for the purposes of improving our software and our customers’ experience. No personally identifiable information is collected."

Piriform said it will be updating the tool soon to highlight exactly what is gobbled up when Active Monitoring is switched on and off – and has pulled version 5.45 for now.

Oracle warns of new attacks on payment systems

As if retail giants' IT departments didn't have enough security issues to worry about, now there is the threat of BGP and DNS hijackings.

Researchers at Oracle found a company handling card payment processing was the target of an attack that redirected DNS traffic to malicious servers. The technique, Oracle says, was nearly identical to what was used earlier this year to redirect traffic from Amazon's DNS service.

This resulted in an extended outage of the payment systems on July 10 as the traffic was instead run through the attacker-controlled networks in the Ukraine. According to Oracle researcher Doug Madory, this is probably the sort of thing we will all have to get used to.

"If previous hijacks were shots across the bow, these incidents show the Internet infrastructure is now taking direct hits," Madory wrote. "Unfortunately, there is no reason not to expect to see more of these types of attacks against the internet."

And finally

Free-HTTPS-cert-issuing org Let's Encrypt suffered a brief DNS outage at the start of the week that rendered some of its systems temporarily inaccessible after one of its upstream providers misconfigured its domain settings.

"The upstream provider beyond Namecheap accidentally set the status of our domain to clientHold," the project's Josh Aas told us. "Seems like it was some sort of administrative error. We're looking into steps we can take to reduce the likelihood of something like this happening again." ®




Biting the hand that feeds IT © 1998–2018