From Now On, Only Default Android Apps Can Access Call Log and SMS Data

A few hours ago the company announced its “non-shocking” plans to shut down Google+ social media network following a “shocking” data breach incident.

Now to prevent abuse and potential leakage of sensitive data to third-party app developers, Google has made several significant changes giving users more control over what type of data they choose to share with each app.

The changes are part of Google’s Project Strobe—a “root-and-branch” review of third-party developers access to Google account and Android device data and of its idea around apps’ data access.

Restricted Call Log and SMS Permissions for Apps

Google announced some new changes to the way permissions are approved for Android apps to prevent abuse and potential leakage of sensitive call and text log data by third-party developers.

While the apps are only supposed to request permission those are required for functioning properly, any Android app can ask permission to access your phone and SMS data unnecessarily.

To prevent users against surveillance and commercial spyware apps, Google has finally included a new rule under its Google Play Developer Policy that now limits Call Log and SMS permission usage to your “default” phone or SMS apps only.

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.),” Google said.

 

Restricted Gmail API for Limited Apps

Since APIs can allow developers to access your susceptible data from your Gmail email account, Google has now finally decided to limit access to Gmail API only for apps that directly enhance email functionality—such as email clients, email backup services and productivity services.

New Privacy Interface for Third-Party App Permissions

When third-party app prompts users to access their Google account data, clicking “allow” approve all requested permissions at once, leaving an opportunity for malicious apps to trick users into giving away powerful permissions.

But now Google has updated its Account Permissions system that asks for each requested permission individually rather than all at once, giving users more control over what type of account data they choose to share with each app.

Third-Party App Permissions

While the change went into effect today, the developers have been given 90 days (January 6th) update their apps and services. After that, the updated Developer Policy will get enforced on its own.

Besides these changes, in next few hours, at 11 AM ET, Google is going to announce some cool new gadgets and Pixel devices at its third annual “Made By Google” event in New York.

Go to Source

Microsoft Patch Tuesday — October 18: Vulnerability disclosures

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated “critical,” 34 that are rated “important,” two that are considered to have “moderate” severity and one that’s rated as “low.”

The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.

This update also includes a critical advisory that covers updates to the Microsoft Office suite of products.

Critical vulnerabilities

Microsoft has disclosed 12 critical vulnerabilities this month, which we will highlight below.

CVE-2018-8491CVE-2018-8460 and CVE-2018-8509 are memory corruption vulnerabilities in the Internet Explorer web browser. In both cases, an attacker needs to trick the user into visiting a specially crafted, malicious website that can corrupt the browser’s memory, allowing for remote code execution in the context of the current user. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8473 is a remote code execution vulnerability in Microsoft Edge. The bug lies in the way the web browser accesses objects in memory. An attacker could trick a user into visiting a malicious website or take advantage of a website that accepts user-created content or advertisements in order to exploit this vulnerability.

CVE-2018-8513CVE-2018-8500CVE-2018-8511CVE-2018-8505 and CVE-2018-8510 are memory corruption vulnerabilities in the Chakra scripting engine that affects a variety of products. In all cases, an attacker could exploit these vulnerabilities to execute code on the system in the context of the current user and completely take over the system. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8494 is a remote code execution vulnerability that exists when the MSXML parser in Microsoft XML Core Services processes user input. An attacker can exploit this bug by invoking MSXML through a web browser on a specially crafted website. The user also needs to convince the user to open the web page.

CVE-2018-8490 and CVE-2018-8489 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. The bugs lie in the way the host server on Hyper-V fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

Important vulnerabilities

There are also 34 important vulnerabilities in this release. We would like to specifically highlight 22 of them.

CVE-2018-8512 is a security feature bypass vulnerability in Microsoft Edge. The web browser improperly validates certain specially crafted documents in the Edge Content Security Policy (CSP), which could allow an attacker to trick a user into loading a malicious page.

CVE-2018-8448 is an elevation of privilege vulnerability in the Microsoft Exchange email server. The bug exists in the way that Exchange Outlook Web Access improperly handles web requests. An attacker could exploit this vulnerability by performing script or content injection attacks that trick the user into disclosing sensitive information. They could also trick the user into providing login credentials via social engineering in an email or chat client.

CVE-2018-8453 is an elevation of privilege vulnerability in the Windows operating system that occurs when the Win32k component improperly handles objects in memory. An attacker could obtain the ability to run arbitrary code in kernel mode by logging onto the system and then run a specially crafted application.

CVE-2018-8484 is an elevation of privilege vulnerability in the DirectX Graphics Kernel driver that exists when the driver improperly handles objects in memory. An attacker could log onto the system and execute a specially crafted application to exploit this bug and run processes in an elevated context.

CVE-2018-8423 is a remote code execution vulnerability in the Microsoft JET Database Engine that could allow an attacker to take control of an affected system. A user must open or import a specially crafted Microsoft JET Database Engine file on the system in order to exploit this bug. They could also trick a user into opening a malicious file via email.

CVE-2018-8502 is a security feature bypass vulnerability in Microsoft Excel when the software fails to properly handle objects in protected view. An attacker could execute arbitrary code in the context of the current user if they convince the user to open a specially crafted, malicious Excel document via email or on a web page. This bug cannot be exploited if the user opens the Excel file in just the preview pane.

CVE-2018-8501 is a security feature bypass vulnerability in Microsoft PowerPoint. The bug exists when the software improperly handles objects in protected view. An attacker can execute arbitrary code in the context of the current user if they convince the user to open a specially crafted PowerPoint file. This bug cannot be exploited if the user only opens the file in preview mode.

CVE-2018-8432 is a remote code execution vulnerability that lies in the way Microsoft Graphics Components handles objects in memory. A user would have to open a specially crafted file in order to trigger this bug.

CVE-2018-8504 is a security feature bypass vulnerability in the Microsoft Word word processor. There is a flaw in the way the software handles objects in protected view. An attacker could obtain the ability to arbitrarily execute code in the context of the current user if they convince the user to open a malicious Word document. The bug cannot be triggered if the user opens the file in preview mode.

CVE-2018-8427 is an information disclosure vulnerability in Microsoft Graphics Components. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, which would expose memory layout.

CVE-2018-8480 is an elevation of privilege vulnerability in the Microsoft SharePoint collaborative platform. The bug lies in the way the software improperly sanitizes a specially crafted web request to an affected SharePoint server. An attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server.

CVE-2018-8518CVE-2018-8488 and CVE-2018-8498 are elevation of privilege vulnerabilities in the Microsoft SharePoint Server. An attacker can exploit these bugs by sending a specially crafted request to an affected SharePoint server, allowing them to carry out cross-site scripting attacks and execute code in the context of the current user.

CVE-2018-8333 is an elevation of privilege vulnerability in Filter Management that exists when the program improperly handles objects in memory. An attacker needs to log onto the system and delete a specially crafted file in order to exploit this bug, which could lead to them gaining the ability to execute code in the context of an elevated user.

CVE-2018-8411 is an elevation of privilege vulnerability that exists when the NFTS file system improperly checks access. An attacker needs to log onto the system to exploit this bug and then run a specially crafted application, which could lead to the attacker running processes in an elevated context.

CVE-2018-8320 is a security feature bypass vulnerability that exists in the DNS Global Blocklist feature. An attacker who exploits this bug could redirect traffic to a malicious DNS endpoint.

CVE-2018-8492 is a security bypass vulnerability in the Device Guard Windows feature that could allow an attacker to inject malicious code into Windows PowerShell. An attacker needs direct access to the machine in order to exploit this bug, and then inject malicious code into a script that is trusted by the Code Integrity policy. The malicious code would then run with the same access level as the script, and bypass the integrity policy.

CVE-2018-8329 is an elevation of privilege vulnerability in Linux on Windows. The bug lies in the way Linux improperly handles objects in memory. An attacker can completely take control of an affected system after logging onto the system and running a specially crafted application.

CVE-2018-8497 is an elevation of privilege vulnerability that exists in the way the Windows Kernel handles objects in memory. A locally authenticated attacker can exploit this bug by running a specially crafted application.

CVE-2018-8495 is a remote code execution vulnerability that exists in the way Windows Shell handles URIs. An attacker needs to convince the user to visit a specially crafted website on Microsoft Edge in order to exploit this vulnerability.

CVE-2018-8413 is a remote code execution vulnerability that exists when “Windows Theme API” improperly decompresses files. A victim can exploit this bug by convincing the user to open a specially crafted file via an email, chat client message or on a malicious web page, allowing the attacker to execute code in the context of the current user.

Other important vulnerabilities:

Moderate vulnerabilities

Of the two moderate vulnerabilities disclosed by Microsoft, Talos believes one is worth highlighting.

CVE-2010-3190 is a remote code execution vulnerability in the way that certain applications built using Microsoft Foundation Classes handle the loading of DLL files. An attacker could take complete control of an affected system by exploiting this vulnerability. At the time this bug was first disclosed, Exchange Server was not identified as an in-scope product, which is why this release highlights a flaw from 2010.

The other moderate vulnerability is CVE-2018-8533.

Low vulnerability

There is also one low-rated vulnerability, which Talos wishes to highlight.

CVE-2018-8503 is a remote code execution vulnerability in the way that Chakra scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker needs to convince a user to visit a malicious website or malicious content on a web page that allows user-created content or advertisements in order to exploit this bug.

Go to Source
Author: Talos Group

New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

A known vulnerability in MikroTik routers is potentially far more dangerous than previously thought.

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year.

The vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical because the new hacking technique used against vulnerable MikroTik routers allows attackers to remotely execute code on affected devices and gain a root shell.

The vulnerability impacts Winbox—a management component for administrators to set up their routers using a Web-based interface—and a Windows GUI application for the RouterOS software used by the MikroTik devices.

The vulnerability allows “remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.”

New Hack Turned ‘Medium’ MikroTik Vulnerability Into ‘Critical’

However, the new attack method found by Tenable Research exploits the same vulnerability and takes it to one step ahead.

A PoC exploit, called “By the Way,” released by Tenable Research Jacob Baines, first uses directory traversal vulnerability to steal administrator login credentials from user database file and the then writes another file on the system to gain root shell access remotely.

In other words, the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections.

The technique is yet another security blow against MikroTik routers, which was previously targeted by the VPNFilter malware and used in an extensive cryptojacking campaign uncovered a few months ago.

New MikroTik Router Vulnerabilities

Besides this, Tenable Research also disclosed additional MikroTik RouterOS vulnerabilities, including:

  • CVE-2018-1156—A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.
  • CVE-2018-1157—A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.
  • CVE-2018-1159—A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.
  • CVE-2018-1158—A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.

The vulnerabilities impact Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9.

Tenable Research reported the issues to MikroTik in May, and the company addressed the vulnerabilities by releasing its RouterOS versions 6.40.9, 6.42.7 and 6.43 in August.

While all the vulnerabilities were patched over a month ago, a recent scan by Tenable Research revealed that 70 percent of routers (which equals to 200,000) are still vulnerable to attack.

The bottom line: If you own a MikroTik router and you have not updated its RouterOS, you should do it right now.

Also, if you are still using default credentials on your router, it is high time to change the default password and keep a unique, long and complex password.

Go to Source

New iPhone Passcode Bypass Hack Exposes Photos and Contacts

Looking for a hack to bypass the passcode or screen lock on iPhones?

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts, including phone numbers and emails, on a locked iPhone XS and other recent iPhone models.

Rodriguez, who also discovered iPhone lock screen hacks in the past, has posted two videos (in Spanish) on his YouTube channel under the account name Videosdebarraquito demonstrating a complicated 37-step iPhone passcode bypass process.

The iPhone authorization screen bypass flaw works on the latest iPhones, including the iPhone XS, running Apple’s latest iOS 12 beta and iOS 12 operating systems.

Video Demonstrations: Here’s How to Bypass iPhone Passcode

As you can watch in the video demonstrations, the iPhone hack works provided the attacker has physical access to the targeted iPhone that has Siri enabled and Face ID either disabled or physically covered.

Once these requirements are satisfied, the attacker can begin the complicated 37-step iPhone passcode bypass process by tricking Siri and iOS accessibility feature called VoiceOver to sidestep the iPhone’s passcode.

Soon after Rodriguez released his videos, a tech channel on YouTube under the handle EverythingApplePro published a video in English explaining the same passcode bypass hack on iPhone XS.

This iPhone passcode bypass method potentially allows the attacker to access the contacts stored in the iPhone, including phone numbers and email addresses, and to access Camera Roll and other photo folders, by selecting a contact to edit and change its image.

Though Apple has some built-in security measures to prevent this from happening, Rodriguez found a way to bypass those security barriers, as you can see in the video.

Here’s how to Fix the iPhone Passcode Bypass Bug

The passcode bypass methods work on all iPhones including the latest iPhone XS lineup, but the company does not appear to have patched the vulnerabilities in the latest iOS 12.1 beta.

Until Apple comes up with a fix, you can temporarily fix the issue by just disabling Siri from the lockscreen. Here’s how to disable Siri:

  • Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked.”

Of course, disabling Siri would cripple your iOS 12 experience, but would prevent attackers from abusing the feature and breaking into your iPhone.

Meanwhile, just wait for Apple to issue a software update to address the issue as soon as possible.

iPhone passcode bypass hack has become common over the last few years and appears almost after every iOS release. An iOS 9.3.1 passcode bypass was found last year, allowing an attacker to bypass Siri to search Twitter and gain access to locked iPhone’s photos and contacts.

Go to Source

Pangu Hackers have Jailbroken iOS 12 on Apple’s New iPhone XS

Bad news for Apple.

The Chinese hacking team Pangu is back and has once again surprised everyone with a jailbreak for iOS 12 running on the brand-new iPhone XS.

Well, that was really fast.

Pangu jailbreak team has been quiet for a while, since it last released the untethered jailbreak tool for iOS 9 back in October 2015.

Jailbreaking is a process of removing limitations on Apple’s iOS devices so users can install third-party software not certified by Apple.

Today, Android and iOS security researcher Min(Spark) Zheng shared a Tweet with two screenshots showing a working jailbreak on Apple’s newly released iPhone XS with A12 Bionic chip achieved by one of the Pangu researchers.

The Tweet also revealed that the iOS 12 jailbreak works by bypassing a functional PAC (Pointer authentication codes) mitigation implemented in the new Apple’s A12 Bionic chip.

pangu hacking team

Moreover, since the hardware of iPhone XS is very much identical to iPhone XS Max, the new iOS 12 jailbreak exploit should also work on both Apple’s latest flagship iPhones.

Since the Pangu jailbreak team has not made any official announcement regarding the new jailbreak, it is not clear whether or not the team will release the iOS 12 jailbreak to the public.

Also, before jailbreaking your Apple devices, just keep in mind that this will violate your End User License Agreement with Apple and also exposes your iOS device to security bugs, putting your personal data at risk, for which you won’t be getting Apple’s help if anything goes wrong.

Jailbreaking your iPhones also opens up your device to iOS malware such as KeyRaider and YiSpectorthat specifically targeted iOS users with jailbroken devices.

So, how are you feeling right now about the new jailbreaking? Let us know in the comments below.

Go to Source

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy BearStrontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

How Does LoJax UEFI Rootkit Work?

According to the ESET researchers, the LoJax malware has the ability to write a malicious UEFI module into the system’s SPI flash memory, allowing BIOS firmware to install and execute malware deep inside the computer disk during the boot process.

“This patching tool uses different techniques either to abuse misconfigured platforms or to bypass platform SPI flash memory write protections,” ESET researchers said in a blog post published today.

Since LoJax rootkit resides in the compromised UEFI firmware and re-infects the system before the OS even boots, reinstalling the operating system, formatting the hard disk, or even replacing the hard drive with a new one would not be sufficient to clean the infection.

Flashing the compromised firmware with legitimate software is the only way to remove such rootkit malware, which typically is not a simple task for most computer users.

LoJax UEFI rootkit malware

First spotted in early 2017, LoJax is a trojaned version of a popular legitimate LoJack laptop anti-theft software from Absolute Software, which installs its agent into the system’s BIOS to survive OS re-installation or drive replacement and notifies device owner of its location in case the laptop gets stolen.

According to researchers, the hackers slightly modified the LoJack software to gain its ability to overwrite UEFI module and changed the background process that communicates with Absolute Software’s server to report to Fancy Bear’s C&C servers.

Upon analyzing the LoJax sample, researchers found that the threat actors used a component called “ReWriter_binary” to rewrite vulnerable UEFI chips, replacing the vendor code with their malicious one.

“All the LoJax small agent samples we could recover are trojanizing the exact same legitimate sample of the Computrace small agent rpcnetp.exe. They all have the same compilation timestamp and only a few tens of bytes are different from the original one,” ESET researchers said.

“Besides the modifications to the configuration file, the other changes include timer values specifying the intervals between connections to the C&C server.”

LoJax is not the first code to hide in the UEFI chip, as the 2015 Hacking Team leak revealed that the infamous spyware manufacturer offered UEFI persistence with one of its products.

Also, one of the CIA documents leaked by Wikileaks last year gave a clear insight into the techniques used by the agency to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones, demonstrating their use of EFI/UEFI and firmware malware.

However, according to ESET, the LoJax rootkit installation uncovered by its researchers is the first ever recorded case of a UEFI rootkit active in the wild.

How to Protect Your Computer From Rootkits

As ESET researchers said, there are no easy ways to automatically remove this threat from a system.

Since UEFI rootkit is not properly signed, users can protect themselves against LoJax infection by enabling the Secure Boot mechanism, which makes sure that each and every component loaded by the system firmware is properly signed with a valid certificate.

If you are already infected with such malware, the only way to remove the rootkit is to reflash the SPI flash memory with a clean firmware image specific to the motherboard, which is a very delicate process that must be performed manually and carefully.

Alternative to reflashing the UEFI/BIOS, you can replace the motherboard of the compromised system outright.

“The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats. Such targets should always be on the lookout for signs of compromise,” researchers wrote.

For more in-depth details about the LoJax root, you can head onto a white paper [PDF], titled the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group,” published on Thursday by ESET researchers.

Go to Source

Counting People Through a Wall with WiFi

Interesting research:

In the team’s experiments, one WiFi transmitter and one WiFi receiver are behind walls, outside a room in which a number of people are present. The room can get very crowded with as many as 20 people zigzagging each other. The transmitter sends a wireless signal whose received signal strength (RSSI) is measured by the receiver. Using only such received signal power measurements, the receiver estimates how many people are inside the room ­ an estimate that closely matches the actual number. It is noteworthy that the researchers do not do any prior measurements or calibration in the area of interest; their approach has only a very short calibration phase that need not be done in the same area.

Academic paper.

Go to Source
Author: Bruce Schneier

Watch Out! This New Web Exploit Can Crash and Restart Your iPhone

It’s 2018, and just a few lines of code can crash and restart any iPhone or iPad and can cause a Mac computer to freeze.

Sabri Haddouche, a security researcher at encrypted instant messaging app Wire, revealed a proof-of-concept (PoC) web page containing an exploit that uses only a few lines of specially crafted CSS & HTML code.

Beyond just a simple crash, the web page, if visited, causes a full device kernel panic and an entire system reboot.

The Haddouche’s PoC exploits a weakness in Apple’s web rendering engine WebKit, which is used by all apps and web browsers running on the Apple’s operating system.

Since the Webkit issue failed to properly load multiple elements such as “div” tags inside a backdrop filter property in CSS, Haddouche created a web page that uses up all of the device’s resources, causing shut down and restart of the device due to kernel panic.

You can also watch the video demonstration published by the researcher, which shows the iPhone crash attack in action.

All web browsers, including Microsoft Edge, Internet Explorer, and Safari on iOS, as well as Safari and Mail in macOS, are vulnerable to this CSS-based web attack, because all of them use the WebKit rendering engine.

Windows and Linux users are not affected by this vulnerability.

The Hacker News tested the attack on different web browsers, including Chrome, Safari, and Edge (on MacBook Pro and iPhone X) and it still worked on the latest version of both macOS and iOS operating systems.

So, Apple users are advised to be vigilant while visiting any web page including the code or clicking on links sent over their Facebook or WhatsApp account, or in an email.

Haddouche has posted the source code of the CSS & HTML web page that causes this attack on his GitHub page

Haddouche said he already reported the issue to Apple about the Webkit vulnerability and the company is possibly investigating the issue and working on a fix to address it in a future release.

Go to Source

New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs

Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.

The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.

However, to make the cold boot attacks less effective, most modern computers come bundled with a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM when the power on the device is restored, preventing the data from being read.

Now, researchers from Finnish cyber-security firm F-Secure figured out a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, potentially allowing attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.

“Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk,” the security firm warns in a blog post published today.

 

Video Demonstration of the New Cold Boot Attack

Using a simple tool, researchers were able to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and enable booting from external devices. You can also watch the video demonstration performing the attack below.

Like the traditional cold boot attack, the new attack also requires physical access to the target device as well as right tools to recover remaining data in the computer’s memory.

“It’s not exactly easy to do, but it is not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” says F-Secure principal security consultant Olle Segerdahl, one the two researchers.

“It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”

 

How Microsoft Windows and Apple Users Can Prevent Cold Boot Attacks

cold boot attack on full disk encryption

According to Olle and his colleague Pasi Saarinen, their new attack technique is believed to be effective against nearly all modern computers and even Apple Macs and can’t be patched easily and quickly.

The two researchers, who will present their findings today at a security conference, say they have already shared their findings with Microsoft, Intel, and Apple, and helped them explore possible mitigation strategies.

Microsoft updated its guidance on Bitlocker countermeasures in response to the F-Secure’s findings, while Apple said that its Mac devices equipped with an Apple T2 Chip contain security measures designed to protect its users against this attack.

But for Mac computers without the latest T2 chip, Apple recommended users to set a firmware password in order to help harden the security of their computers.

Intel has yet to comment on the matter.

The duo says there’s no reliable way to “prevent or block the cold boot attack once an attacker with the right know-how gets their hands on a laptop,” but suggest the companies can configure their devices so that attackers using cold boot attacks won’t find anything fruitful to steal.

Meanwhile, the duo recommends IT departments to configure all company computers to either shut down or hibernate (not enter sleep mode) and require users to enter their BitLocker PIN whenever they power up or restore their PCs.

Attackers could still perform a successful cold boot attack against computers configured like this, but since the encryption keys are not stored in the memory when a machine hibernates or shuts down, there will be no valuable information for an attacker to steal.

Go to Source