Skip to main content

Zero days since last vulnerability

Equation Group : Hard disk firmware infection
My renewed interest in computer security was triggered by the wonderfully detailed article on Ars Technica about the alleged NSA program , dubbed Equation group, to plant code into hard disk firmware.  The beauty of the approach was that this could be:


  1. Done over the internet - through a compromised system
  2. Impossible to detect via a scan - only a detailed network analysis could expose this
  3. The way in which it was exposed by Kaspersky Labs - partly by taking over expired domains that acted as control centers.


The biggest reason why I was so intrigued by this event is the article itself.  It is detailed when it needs to be and brief where it needs to be.  Its perfect for someone who wants to understand the issue and has just a little knowledge of what computer systems are.  Read it.  This article is a thing of beauty.

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last


Lenovo's Superfish disaster
My interest was soon rewarded by the revelation of another big issue in the field of computer security.
This time, it was a malware/adware/bloatware that came installed in Lenovo laptops by default.  As the story unfolded, it became clear that the issue went farther than just unwanted software on the computer.  The SDK used to create the software - provided by Komodia - by a company named Superfish used root certificates to intercept HTTP traffic on the laptops to inject ads onto websites.  The software would just be classified as malware, were it not for:


  1. MITM (Man In The Middle) attack required to serve the ads
  2. Root certificate that was allowed for all purposes installed in the computer by the OEM
  3. The private key of the root certificate was komodia, which is not just a bad password, but was the same on all systems.  This private key could be used to sign websites that would be accepted by the infected system.
  4. The SDK handled invalid certificates and the pages that presented them by signing the websites with the private key and changing the primary site name to force a failure, leaving alernate sites mentioned in the site unchanged


This story broke on Twitter and I was following these revelations as they were being published.  It was quite the experience to watch an issue grow from an unwanted software to a full-blown security vulnerability.


Miscellaneous
Then there was :


Security in the digital age is about constant surveillance and in-depth knowledge of how systems work.  The last week has been very interesting in terms of computer security that has wide ranging effects.

Labels:

Comments

Post a Comment

Popular posts from this blog

Newspapers over newsfeeds

T hree years ago, I kept running into a frustrating problem - one of those issues that people create start-ups over. The local newspaper delivery system was shady. They wouldn't give me a receipt for the monthly payment, all records were kept in a book they maintained, and cash-only payment frequently meant that they'd pocket the change, even though they pretended to write down details in their book; the details curiously missing the next time they showed up for cash. Were I more entrepreneurial, I might have created a start-up that let people buy and pay for newspapers subscriptions online and provide a professional service. I'd have failed, given my utter lack of people-skills and logistics being a nightmare to maintain. So, I did what my aversion to conflict prodded me towards. I cancelled my newspaper subscription; the first time I truly had been without a newspaper since childhood. I t was great for a while. I was able to focus more on news that I wanted to read, rathe...
Post a Comment
Read more

Memetic Inoculation

I came across the idea of memetic inoculation in the article   Every Complex Idea Has a Million Stupid Cousins . The basic gist of it (summarizing it is ironic when you understand the article) is that a complex idea is very difficult to communicate. So, those trying to communicate it, tend to simplify it. The simplified idea can seem stupid at the first glance. The listener attributes the apparent stupidity of the abstraction to the idea itself. The more "stupid" abstractions the listener comes across, the more the belief the idea itself is stupid take root in the mind of the listener. It can easily reach a point where at the mere mention of the idea, the listener dismisses it without trying to understand it. This is the concept of memetic inoculation. Multiple encounters with stupid abstractions cause the complex idea to be rejected outright.  Mark P Xu Neyer , the author of the article puts the concept in these steps (mostly taken from the article, with editorializing for m...
Post a Comment
Read more

Testing the Monty Hall problem (n=1000)

What is the Monty Hall problem? The Monty Hall Problem is a famous statistic brain teaser, which has a counter-intuitive solution Wiki:  https://en.wikipedia.org/wiki/Monty_Hall_problem The brain teaser is as follows: The player is in a game show and has to choose from one of three doors Two of these doors lead to a goat each Only one leads to a car The player chooses one door at random, since they have no way of knowing the correct door The host then looks behind the other two doors and reveals one of them showing a goat The player now has the opportunity to keep his original guess, or switch to the remaining door The statistics answer is: switching to the remaining door gives you a 2/3 chance of winning. It's counter-intuitive, and that's why, we need to prove it. Ok. let's simulate this by replicating the steps of the original problem In [1]: import random Check if the door picked at random is 1/3 probabil...
Post a Comment
Read more