New Year, (not so) new security problems. Hosts Greg Mooney and Jeff Edwards discuss some of the biggest tech news of this week.
CPU Chip Security Flaws - Meltdown and Spectre
Even if 2018 isn’t everything you hoped it would be so far, at least you’re doing better than Intel.
The Register reported that virtually all Intel processors that launched in the past decade have a significant chip-level security flaw that could leave content stored in protected kernel memory vulnerable to malicious code. The problem is so pervasive that it cannot be fixed with a simple patch, but requires an OS-level overwrite of the kernel.
The security flaw, which is baked in on Intel's x86/x64 hardware, is under heavy embargo because of its nature and the risk involved. However, from what could be ascertained by The Register, it has to do with how Intel processors manage kernel executions.
Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, but we're looking at a ballpark figure of 5% to 30% slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit.
The guy who found the flaw apparently wanted to report it at Black Hat 2017 in July, but was denied.
Forever 21 Confirms Breach of Payment System
This isn’t new news, but we have some more information on the Forever 21 data breach. The fashion retailer first discovered and announced the breach in November 2017, but now we’re finding out it was a lot more severe than previously believed.
Forever 21 is now reporting that the breach effected POS systems that were supposed to be encrypted but weren’t. The effected systems were carrying customer payment and credit card data from April 3rd to November 18th, 2017. That’s a lot of info at risk.
But Forever 21 hasn’t told us exactly how many customers might be effected, which isn’t a good sign.
Basically, long time to discover breach = bad. Not only does this give hackers more time to escalate privilege and do more damage, it hurts customer trust and brand reputation when it comes out.
Chipotle and GameStop both suffered similar hacks over 2017. It seems like hackers are concentrating their efforts on cracking POS systems right now.
“Nigerian Prince” Arrested… in Louisiana
It’s one of the oldest tricks in the cybercrime book — the “Nigerian prince” scam. But last week police threw the book at such a prince… in Louisiana.
Michael Neu, 67, faces 269 counts of wire fraud and money laundering after being taken into custody following an 18-month investigation. According to the police report, law enforcement officers are also looking into suspected "co-conspirators in the Country of Nigeria,” so watch out for any suspicious royalty.
John McAfee’s Twitter Hacked
World renowned nut job, accused murderer, and creator of McAfee antivirus, John McAfee claimed his twitter accounted was hacked last week. Some shady never-do-wells apparently gained control of McAfee’s account and used it to promote lesser-known crypto currencies. McAfee has blamed twitter for the hack, but gave no details on how or why.
It should be noted that McAfee himself regularly promotes cryptocurrencies to his followers…
It baffles me how a guy who tweeted high resolution photos of his own passport could get hacked.https://t.co/SvRwC2htqq— MalwareTech (@MalwareTechBlog) December 27, 2017
Security Researcher 15-year-old MacOS Zero Dat Kernel Flaw
On the first day of 2018, a researcher using the online moniker Siguza released the details of an unpatched zero-day macOS vulnerability, which he suggests is at least 15 years old, and proof-of-concept (PoC) exploit code on GitHub.
The bug is a serious local privilege escalation (LPE) vulnerability that could enable an attacker to gain root access on the targeted system and execute malicious code. Malware designed to exploit this flaw could fully install itself deep within the system.
From looking at the source, Siguza believes this vulnerability has been around since at least 2002, but some clues suggest the flaw could actually be ten years older than that. "One tiny, ugly bug. Fifteen years. Full system compromise," he wrote.
Since the vulnerability only affects macOS and is not remotely exploitable—and because Apple’s bug bounty program doesn’t include macOS bugs-- Siguza decided to dump his findings online instead of reporting it to Apple.
Apple Apogizes for Battery-Related Slowdown Controversy
After a few weeks of slowed down iPhones, angry customers, and the obligatory lawsuits, Apple issued an apology and lowered the price of iPhone replacement batteries from $79 to $29.
This week, an internal Apple memo revealed by a French blogger made it clear that this offer is valid to all iPhone owners, even those whose current batteries pass a Genius Bar Diagnostic test. So if you have a new iPhone, you might want to speed over to your local Apple Store while this lasts.
Stay tuned for next week's Defrag This Weekly Update. Until next time, stay safe out there!