By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Security researcher Mathy Vanhoef, who loves to poke holes in Wi-Fi security, is at it again, this time finding a dozen flaws that stretch back to cover WEP and seemingly impact every device that makes use of Wi-Fi. Thankfully, as Vanhoef explained, many of the attacks are hard to abuse and require user interaction, while others remain trivial. Another positive is Microsoft shipped its patches on March 9, while a patch to the Linux kernel is working its way through the release system. The details of FragAttacks follow a nine-month embargo to give vendors time to create patches. "An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices," Vanhoef said in a blog post. "Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities." Several of the identified flaws relate to the ability to inject plaintext frames, as well as certain devices accepting any unencrypted frame or accept plaintext aggregated frames that look like handshake messages. Vanhoef demonstrated how this could be used to punch a hole in a firewall and thereby take over a vulnerable Windows 7 machine. "The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone's home network," the security researcher wrote. "For instance, many smart homes and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately ... this last line of defense can now be bypassed." Other vulnerabilities relate to how Wi-Fi frames are fragmented and how receivers reassemble them, allowing an attacker to exfiltrate data. Even devices that do not support fragmentation were at risk. "Some devices don't support fragmentation or aggregation but are still vulnerable to attacks because they process fragmented frames as full frames," Vanhoef wrote. "Under the right circumstances, this can be abused to inject packets." Some networking vendors such as Cisco and Juniper are starting to push patches for some of their impacted products, while Sierra has planned some of its products to be updated over the next year, and others will not be fixed. The CVEs registered to due FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. "There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices," the Wi-Fi Alliance wrote. Vanhoef said anyone with unpatched devices can protect against data exfiltration by using http connections. "To mitigate attacks where your router's NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them," the researcher wrote. "More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices." Follow this thread on OUR FORUM.

Five serious vulnerabilities in a driver used by Dell devices have been disclosed by researchers. On Tuesday, SentinelLabs said the vulnerabilities were discovered by security researcher Kasif Dekel, who explored Dell's DBUtil BIOS driver -- software used in the vendor's desktop and laptop PCs, notebooks, and tablet products. The team says that the driver has been vulnerable since 2009, although there is no evidence, at present, that the bugs have been exploited in the wild. The DBUtil BIOS driver, which comes pre-installed on many Dell machines running Windows, contains a component -- the dbutil_2_3.sys module -- which was subject to Dekel's scrutiny. Dell has assigned one CVE (CVE-2021-21551), CVSS 8.8, to cover the five vulnerabilities disclosed by SentinelLabs. Two are memory corruption issues in the driver, two are security failures caused by a lack of input validation, and one logic issue was found that could be exploited to trigger denial-of-service. "These multiple critical vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges," the researchers say. The team notes that the most crucial issue in the driver is that access-control list (ACL) requirements, which set permissions, are not invoked during Input/Output Control (IOCTL) requests. As drivers often operate with high levels of privilege, this means requests can be sent locally by non-privileged users. "[This] can be invoked by a non-privileged user," the researchers say. "Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused "by design." Functions in the driver were also exposed, creating read/write vulnerabilities usable to overwrite tokens and escalate privileges. Another interesting bug was the possibility to use arbitrary operands to run IN/OUT (I/O) instructions in kernel mode. "Since IOPL (I/O privilege level) equals to CPL (current privilege level), it is obviously possible to interact with peripheral devices such as the HDD and GPU to either read/write directly to the disk or invoke DMA operations," the team noted. "For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process." Proof-of-Concept (PoC) code is being withheld until June to allow users time to patch. Dell was made aware of Dekel's findings on December 1, 2020. Following triage and issues surrounding some fixes for end-of-life products, Dell worked with Microsoft and has now issued a fixed driver for Windows machines.  The PC giant has issued an advisory (DSA-2021-088) and a FAQ document containing remediation steps to patch the bugs. Dell has described the security flaw as "a driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools [which] contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. "We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers," a Dell spokesperson said. "We have seen no evidence this vulnerability has been exploited by malicious actors to date. We appreciate the researchers working directly with us to resolve the issue."For more navigate to OUR FORUM.
The European Commission is issuing antitrust charges against Apple over concerns about the company’s App Store practices. The Commission has found that Apple has broken EU competition rules with its App Store policies, following an initial complaint from Spotify back in 2019. Specifically, the Commission believes Apple has a “dominant position in the market for the distribution of music streaming apps through its App Store.” The EU has focused on two rules that Apple imposes on developers: the mandatory use of Apple’s in-app purchase system (for which Apple charges a 30 percent cut), and a rule forbidding app developers to inform users of other purchasing options outside of apps. The Commission has found that the 30 percent commission fee, or “Apple tax” as it’s often referred to, has resulted in higher prices for consumers. “Most streaming providers passed this fee on to end-users by raising prices,” according to the European Commission. “Apple’s rules distort competition in the market for music streaming services by raising the costs of competing music streaming app developers,” says a statement from the Commission. “This, in turn, leads to higher prices for consumers for their in-app music subscriptions on iOS devices.” The EU has also sent Apple a statement of objections, which is essentially a list of how the Commission believes Apple has violated competition rules. This is the initial, formal stage of antitrust proceedings against Apple, and the company will have the chance to respond to the Commission’s list of objections within the next 12 weeks. This specific case is limited to Apple’s App Store practices for music streaming, and the EU is investigating additional separate cases on ebooks and the App Store in general. “This is not the last case we will have when it comes to the App Store,” said European commissioner Margrethe Vestager in a press conference this morning. Vestager also revealed the Commission is taking an interest in Apple’s policies around games on the App Store. “We also take an interest in the gaming app market,” said Vestager, responding to a question about the money involved in gaming apps on the App Store. “That’s really early days when it comes to that,” Microsoft called on regulators to investigate the App Store last year, just a couple of months before a public spat with Apple over its xCloud game streaming service. Apple now faces a fine of up to 10 percent of its annual revenue if it’s found guilty of breaking EU rules, which could be as high as $27 billion based on Apple’s annual revenue of $274.5 billion last year. Apple could also be forced to change its business model, which has more damaging and lasting effects than a fine. Spotify has welcomed the initial charges. “Ensuring the iOS platform operates fairly is an urgent task with far-reaching implications,” says Horacio Gutierrez, Spotify’s chief legal officer. “The European Commission’s statement of objections is a critical step toward holding Apple accountable for its anticompetitive behavior, ensuring meaningful choice for all consumers and a level playing field for app developers.” Central to this entire case is the 30 percent cut that Apple takes on subscriptions. Companies like Netflix and Spotify have long opposed this so-called Apple tax, but Apple has argued that the revenue contributes toward the costs of maintaining the App Store and enforcing its various content, privacy, and security policies. Spotify previously claimed that Apple uses its App Store to stifle innovation and limit consumer choice in favor of its own Apple Music service. That complaint was followed up with a similar one by Rakuten, alleging that it’s anti-competitive for Apple to take a 30 percent commission on ebooks sold through the App Store while promoting its own Apple Books service. Epic Games also joined many developers and companies opposing Apple’s App Store policies and filed an antitrust complaint with the EU earlier this year. It’s part of an ongoing dispute with Apple after the Fortnite developer publicly criticized Apple’s App Store policies around distribution and payments. This resulted in Epic attempting to circumvent Apple’s 30 percent cut on in-app purchases in Fortnite, and Apple quickly removing the game from its App Store. For more please visit OUR FORUM.
In the age of remote work, it's easier than ever to blur the lines between our personal and professional tech. Maybe it's sending personal texts or emails from your work phone, editing personal documents or photos on your work laptop, or joining a virtual happy hour with friends from your work tablet. None of these actions may sound like a particularly risky activity, but as a former "IT guy" I'm asking, nay pleading, with you to stop doing them. At least the potentially more hazardous activities, such as storing personal data on your work machine or storing sensitive company data on your personal devices. Do it for the security of your employer. But more importantly, do it for the safety, privacy and wellbeing of yourself, your family and friends. Cybersecurity incidents can have serious negative consequences for both your employer and you. And even if an actual security breach or data leak doesn't occur, you could be reprimanded, demoted, fired, sued or even criminally prosecuted. Take the case of former CIA director John M. Deutch. In 1996, as Deutch was leaving his position as Director of Central Intelligence, he asked if he could keep his government-issued computers because they contained his personal financial information, and he did not own a personal computer to which the data could be transferred. (This seems incomprehensible today, but it was very common at the time.) The government agreed to loan the computers to Deutch basically under the condition that he become an unpaid government consultant, not use the computers for personal work and buy a computer to which he could transfer his personal data. Fast forward a few years and it's discovered that the government computers, now at Deutch's Maryland home, had been connected to the Internet and that their hard drives contained classified information. Deutch also told government investigators that family members had access to the computers, including his wife, who "used this computer to prepare reports relating to official travel" with Deutch and another family member who used the computer "to access a university library." It was also reported at the time, that the "other family member" was Deutch's son, who in addition to accessing those university resources also visited several "high-risk" porn sites, one of which had placed cookies on the computer. A survey conducted in August 2020 by antivirus vendor Malwarebytes asked respondents how they used their work devices. The company found that 53% reported sending or receiving personal email, 52% read news, 38% shopped online, 25% accessed their social media and 22% downloaded or installed non-company software. And then of course there's the flip side, using a personal device for work. A report from cybersecurity vendor Morphisec released in June 2020 found that 56% of employees reported using their personal computer as their work device. And according to a 2020 survey by antivirus software maker Kaspersky, 57% of respondents said they checked work email on their personal smartphone and 36% did work on their personal laptop or desktop. Only 30% said they never used a work device for personal activities. Keep in mind however, survey respondents don't always provide completely accurate data. They may have forgotten past events or omit information due to embarrassment or fear of potential negative consequences. As such, I suspect these figures undercount the number of folks who are actually blending their work and personal tech. Even if nothing "bad" happens, there are still headaches from blurring the lines between your personal and professional tech. What happens when you get a new machine? What happens if you change jobs? In both cases you'll need to clean your personal data off the work machine before you give it back to IT. And depending how much personal data has accumulated on the device and how you've organized it, the process can be extremely complicated and take a significant amount of time. Also, simply copying and deleting the personal data won't completely protect your privacy. To really keep your personal information personal, you'd need to wipe the machine's hard drive or physically destroy the drive, something which will likely raise red flags with your company's IT department. You also run the risk of losing access to your data permanently if you fail to copy it all and the machine's drive is wiped or destroyed as part of your employer's computer equipment disposal policy.Further details can be found on OUR FORUM.
Google has decided that YouTube demands such a huge transcoding workload that it needs to build its own server chips. The company detailed its new "Argos" chips in a YouTube blog post, a CNET interview, and in a paper for ASPLOS, the Architectural Support for Programming Languages and Operating Systems Conference. Just as there are GPUs for graphics workloads and Google's TPU (tensor processing unit) for AI workloads, the YouTube infrastructure team says it has created the "VCU" or "Video (trans)Coding Unit," which helps YouTube transcode a single video into over a dozen versions that it needs to provide a smooth, bandwidth-efficient, profitable video site. Google's Jeff Calow said the Argos chip has brought "up to 20-33x improvements in computing efficiency compared to our previous optimized system, which was running software on traditional servers." The VCU package is a full-length PCI-E card and looks a lot like a graphics card. A board has two Argos ASIC chips buried under a gigantic, passively cooled aluminum heat sink. There's even what looks like an 8-pin power connector on the end because PCI-E just isn't enough power. Google provided a lovely chip diagram that lists 10 "encoder cores" on each chip, with Google's white paper adding that "all other elements are off-the-shelf IP blocks." Google says that "each encoder core can encode 2160p in real-time, up to 60 FPS (frames per second) using three reference frames." The cards are specifically designed to slot into Google's warehouse-scale computing system. Each computes cluster in YouTube's system will house a section of dedicated "VCU machines" loaded with the new cards, saving Google from having to crack open every server and load it with a new card. Google says the cards resemble GPUs because they are what fit in its existing accelerator trays. CNET reports that "thousands of the chips are running in Google data centers right now," and thanks to the cards, individual video workloads like 4K video "can be available to watch in hours instead of the days it previously took." Factoring in the research and development on the chips, Google says this VCU plan will save the company a ton of money, even given the below benchmark showing the TCO (total cost of ownership) of the setup compared to running its algorithm on Intel Skylake chips and Nvidia T4 Tensor core GPUs. Because YouTube is the world's biggest video site, keeping it running was originally seen as an impossible task until Google bought the company in 2006. Since then, Google has aggressively fought to keep the site's cost down, often reinventing Internet infrastructure and copyright in order to make it happen. Today, the primary infrastructure problem YouTube needs to solve for end-users is providing video that works just right for your device and bandwidth while maintaining quality. That means using a codec that is supported by your device and picking a resolution that matches your display (and not blowing up your Internet connection with a massive file). For Google, that means transcoding a single video into a lot of other videos. You can see part of this work yourself just by clicking on the gear for an 8K video, where you'll see nine total resolutions created from a single upload: 144p, 240p, 360p, 480p, 720p, 1080p, 1440p, 2160p, and 4320p. These are all different video files, and everyone needs to be created from the original 8K uploaded file—and keep in mind, this is just for your specific device. Google also needs to offer some of those nine resolutions in multiple codecs, which dictate how the video is compressed on its way over the Internet. The company wants to offer videos in the most advanced, efficient codec available to save on bandwidth, which is a massive part of YouTube's costs. Decoding a video codec gobbles up processing power, though, and on cheaper mobile devices, decoding won't happen smoothly and efficiently without dedicated hardware acceleration support for each new codec. That means Google only gets to use the best codecs on new devices, and it needs to keep copies of the video around in older codecs for older devices. Today, modern devices usually get the efficient VP9 codec, while the more compatible H.264 is kept around for devices that aren't on the cutting edge. No one truly knows the depths of YouTube's video codec selection, but the site also generally supports devices going back almost 10 years, including "low-resolution flip phones," according to the ASPLOS paper. So there are some pre-H.264 codecs, like 3GP, for ancient devices. Learn more by visiting OUR FORUM.
Executives at Instagram are planning to build a version of the popular photo-sharing app that can be used by children under the age of 13, according to an internal company post obtained by BuzzFeed News. “I’m excited to announce that going forward, we have identified youth work as a priority for Instagram and have added it to our H1 priority list,” Vishal Shah, Instagram’s vice president of product, wrote on an employee message board on Thursday. “We will be building a new youth pillar within the Community Product Group to focus on two things: (a) accelerating our integrity and privacy work to ensure the safest possible experience for teens and (b) building a version of Instagram that allows people under the age of 13 to safely use Instagram for the first time.” The current Instagram policy forbids children under the age of 13 from using the service. According to the post, the work would be overseen by Adam Mosseri, the head of Instagram, and led by Pavni Diwanji, a vice president who joined parent company Facebook in December. Previously, Diwanji worked at Google, where she oversaw the search giant’s children-focused products, including YouTube Kids. The internal announcement comes two days after Instagram said it needs to do more to protect its youngest users. Following coverage and public criticism of the abuse, bullying, or predation faced by teens on the app, the company published a blog post on Tuesday titled “Continuing to Make Instagram Safer for the Youngest Members of Our Community.” That post makes no mention of Instagram’s intent to build a product for children under the age of 13, but states, “We require everyone to be at least 13 to use Instagram and have asked new users to provide their age when they sign up for an account for some time.” The announcement lays the groundwork for how Facebook — whose family of products is used by 3.3 billion people every month — plans to expand its user base. While various laws limit how companies can build products for and target children, Instagram clearly sees kids under 13 as a viable growth segment, particularly because of the app’s popularity among teens. In a short interview, Mosseri told BuzzFeed News that the company knows that “more and more kids” want to use apps like Instagram and that it was a challenge verifying their age, given most people don’t get identification documents until they are in their mid-to-late teens. “We have to do a lot here,” he said, “but part of the solution is to create a version of Instagram for young people or kids where parents have transparency or control. It’s one of the things we’re exploring.” Mosseri added that it was early in Instagram’s development of the product and that the company doesn’t yet have a “detailed plan.” Priya Kumar, a Ph.D. candidate at the University of Maryland who researches how social media affects families, said a version of Instagram for children is a way for Facebook to hook in young people and normalize the idea “that social connections exist to be monetized.” “From a privacy perspective, you're just legitimizing children’s interactions being monetized in the same way that all of the adults using these platforms are,” she said. Kumar said children who use YouTube Kids often migrate to the main YouTube platform, which is a boon for the company and concern for parents. “A lot of children, either by choice or by accident, migrate onto the broader YouTube platform,” she said. “Just because you have a platform for kids, it doesn’t mean the kids are going to stay there.” The development of an Instagram product for kids follows the 2017 launch of Messenger Kids, a Facebook product aimed at children between the ages of 6 and 12. After the product’s launch, a group of more than 95 advocates for children’s health sent a letter to Facebook CEO Mark Zuckerberg, calling for him to discontinue the product and citing research that “excessive use of digital devices and social media is harmful to children and teens, making it very likely this new app will undermine children’s healthy development.” Facebook said it had consulted an array of experts in developing Messenger Kids. Wired later revealed that the company had a financial relationship with most of the people and organizations that had advised on the product.Details can be found on OUR FORUM.