Meltdown and Spectre: How much are ARM and AMD exposed?

By Andy Patrizio

As the chip vendors wrestle to get their arms around the Meltdown and Spectre vulnerabilities, we’re slowly determining the exposure of AMD and ARM to the exploit. Intel, unfortunately, is totally vulnerable. With AMD and ARM, though, it gets complicated.

Read more at https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html

Is single tenancy the fix for the Meltdown flaw?

By Andy Patrizio

As the fallout continues over the Meltdown and Spectre exploits in Intel and now some ARM processors, the issue of what to do about it is coming front and center. Clearly there is no fixing a silicon problem; Intel will have to adjust future chips to deal with it. So, for now, we have the software fixes.

Read more at https://www.networkworld.com/article/3246008/data-center/is-single-tenancy-the-fix-for-the-meltdown-flaw.html

Smart-toymaker VTech fined over charges of violating child privacy law

By Lisa Vaas

In 2015, smart toymaker VTech tripped. And it fumbled a whole lot of frighteningly specific data about children when it did.

Well, allegedly, at any rate. An intruder claimed to have broken into servers and ripped off data s/he said was so sensitive, it made them queasy.

With good reason: the intruder claimed to have accessed photos of kids and parents; chat logs; and audio files. The FTC said they got first names, genders and birthdays of about 638,000 children. The intruder said they got email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories. The personal data pertained to 4,833,678 parents, the intruder said.

On Monday, VTech didn’t admit to wrongdoing, but it did settle Federal Trade Commission (FTC) charges that the company violated children’s privacy law – that would be the Children’s Online Privacy Protection Act (COPPA) – and the FTC Act.

The FTC announced on Monday that VTech had agreed to settle for a civil fine of $650,000.

In a complaint filed by the US Department of Justice on behalf of the FTC, the commission alleged that VTech’s Kid Connect app collected the personal information that was allegedly breached. Kid Connect is a service that allows parents and kids to chat via a mobile phone app and a VTech tablet.

Read more at https://nakedsecurity.sophos.com/2018/01/10/smart-toymaker-vtech-fined-over-charges-of-violating-child-privacy-law/

Beautiful webchat honeys turn out to be fembots

By Lisa Vaas

Police in Guangdong, China, announced on Monday that there will henceforth be a sizable population of homeless dating app fembots.

This comes after police successfully “smashed” the 21 companies the chatbots called home. Police said they’ve arrested more than 600 suspects on suspicion of mobile app network fraud, froze a total of 100 billion yuan (USD $154m; £113m), and seized more than 400 servers, computers, mobile phones, books and more.

Authorities have been working on the massive fraud network since August 2017. They were tipped off after coming across a mobile app that was charging visitors to view porn videos that didn’t actually exist.

The crackdown, dubbed “Security Network No. 20”, was simultaneously carried out in 11 cities, including Zhuhai, Shantou and Dongguan in Beijing, Liaoning, Shaanxi, Henan, Shandong, Jiangsu, Zhejiang, Hunan, Hubei, Jiangxi, Fujian and Guangdong Guangxi and another 13 provinces, autonomous regions and municipalities.

A task force found dating-app fembots “making friends,” or what we also call dangling porn as bait for men, getting them to register for apps, dropping flirty phrases such as (what Google translates as) “a city courtship,” “party dating,” and “a city secret tease.”

Once the dating apps lured men into download and installation, surprise! The apps would continuously upgrade their membership level.

Read more at https://nakedsecurity.sophos.com/2018/01/10/beautiful-webchat-honeys-turn-out-to-be-fembots/

CoffeeMiner project lets you hack public Wi-Fi to mine cryptocoins

By Paul Ducklin

Remember how an Argentinian Starbucks store recently turned out to be doing JavaScript cryptomining on the side?

That’s where someone else uses your computer, via your web browser, to perform a series of calculations that help to generate some sort of cryptocurrency, and keeps the proceeds for themselves.

In that case, it seems to have been a unilateral decision by the Wi-Fi provider to include coin mining JavaScript code in the Wi-Fi registration page.

We’re guessing that the provider figured it would be OK to “borrow” approximately 10 seconds of CPU time whenever someone connected to the Wi-Fi, presumably as a way of earning a few extra pennies in return for providing free internet access.

(Just for the record, the tweeter was wrong above, inasmuch as the code was mining Monero, not Bitcoin – but the sentiment was spot-on.)

Starbucks wasn’t impressed, and “took swift action to ensure [the] internet provider resolved the issue”.

We’re guessing here, but we’re prepared to assume that this “swift action” involved a very short phone call in a rather loud voice.

But it’s not only the Wi-Fi operator or the coffee shop owner that you need to worry about.

If you join a public Wi-Fi network, and you don’t use a VPN, or stick to HTTPS websites, or both, then…

…anyone else in the coffee shop (or bus, or train, or hotel lobby, or wherever it is) at the same time can sniff out what you’re doing, and perhaps also trick you into seeing and doing something you didn’t expect.

Read more at https://nakedsecurity.sophos.com/2018/01/09/coffeeminer-project-lets-you-hack-public-wi-fi-to-mine-cryptocoins/

Aadhaar breaches fueled by rogue admin accounts

By John E Dunn

Not long ago trumpeted as the world’s largest biometric database, India’s Aadhaar system covers 1.2bn citizens. Lately, though, it’s acquired a less impressive reputation – that it’s one of the easiest to breach.

In a matter of days, two sets of journalists claimed they’ve bypassed its security with worrying ease, apparently by gaining access to a layer of privileged and admin accounts that have ended up in the wrong hands.

In the most widely-reported incident, a researcher paid Rs 500 ($8) to an anonymous WhatsApp seller for credentials giving access to the name, address, phone number, postal PIN, email address and photograph of anyone in Aadhaar after entering their 12-digit UIDAI (Unique Identification Authority of India) number.

Worse, for a few dollars extra, the researcher was offered software capable of printing this out as a usable Aadhar identity card.

A day later and a second investigation reported being able to acquire access to an admin account for between Rs500 and 6,000 ($95) that conferred the Godlike ability to additional new admins accounts, which in turn could create new admin accounts – and so on.

Which meant:

Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters – the Aadhaar database won’t ask.

The revelations continued this week with the Times of India reporting that despite November reports that up to 200 Indian government websites were displaying details of Aadhaar identities in public, some continued to do so weeks later.

None of this is good news for Aadhaar’s reputation of course, but the biggest worry could turn out to be the authorities’ confused response.

Read more at https://nakedsecurity.sophos.com/2018/01/09/aadhaar-breaches-fuelled-by-rogue-admin-accounts/

Apple issues Spectre fix with iOS 11.2.2 update

By Maria Varmazis

On 8 January, Apple made available iOS 11.2.2, which includes a security update for Spectre, one of the CPU-level vulnerabilities making the headlines of late. (If you need a full rundown about what these processor bugs entail and how they work, take a moment to read Paul Ducklin’s comprehensive post on the topic.)

This iOS update specifically addresses CVE-2017-5753 and CVE-2017-5715, two chip-level vulnerabilities collectively known as Spectre. All of the chip-level vulnerabilities including Spectre, at a very high level, take advantage of flaws in hardware to allow an attacker to potentially read or steal data.

Thankfully, these flaws can be mitigated at an operating system or software level when vendors make patches available. The two Spectre vulnerabilities can be triggered via Javascript running in a web browser, so the iOS 11.2.2 update specifically makes changes to Apple’s Safari and WebKit to mitigate their effects.

There were a number of chip vulnerabilities revealed concurrently earlier this month – they’re similar but not the same. Often mentioned in the same breath as Spectre is Meltdown, CVE-2017-5754. While Meltdown affects most types of Intel processors made since 1995 – meaning almost all the world’s desktops, laptops, and servers – Spectre affects an even broader array of processor types, not just Intel, but AMD and ARM as well.

Most of the world’s smartphones, including iPhones and Samsung phones, run on ARM chips. While yes, technically, Spectre makes most of us with a smartphone in our hands vulnerable, thankfully the Spectre flaws have been found by vendors and researchers to be much harder to exploit overall than Meltdown, so it hasn’t been as high a priority for a fix.

Read more at https://nakedsecurity.sophos.com/2018/01/09/apple-issues-spectre-fix-with-ios-11-2-2-update/