YOUR WI-FI IS FUCKED

[NikoBaltimore]

Yeah, I certainly wouldn't recommend Kaspersky.  At work we have a corporate version of Symantec which does us pretty well.  That along with Malwarebytes here and we're in good shape.  At home it's mainly Malwarebytes and Windows Defender.  We're careful with what we do online but know we'll need to find something better.  At least we finally got around to hooking up the PC and PS4 to ethernet so that'll tide us over until get something.

[J.T.]

1 hour ago, Mickie Zeidler said:

As Matt intimated, Kaspersky may have been in on the whole Russian collusion thing with the election.  I don't know the details, but I'm surprised InfoSec people on the board would recommend it.  Y'all generally a bunch of paranoid weirdos about the most common stuff.

Eh, Kapersky Labs would be cutting its own throat commercially and financially if it ever came out that it willingly provided back door access to Russian intelligence via its software.

It relies on more than Russian customers for its revenue.  It may as well file for bankruptcy if it did something that stupid.  No one would purchase its products after that.

I'm more inclined to believe that FSB cracked Kapersky AV without the company's knowledge or permission and uses those exploits under the radar just as the NSA got caught developing proprietary cracks for Android, iOS, and other operating systems.

[Craig H]

Is this wifi thing even still a thing? I only saw a couple places, this being one of them, make a big deal out of it. I haven't noticed any Android, Windows, Netgear, or Motorola updates to even address this issue.

[J.T.]

8 minutes ago, Craig H said:

Is this wifi thing even still a thing? I only saw a couple places, this being one of them, make a big deal out of it. I haven't noticed any Android, Windows, Netgear, or Motorola updates to even address this issue.

I'm not sure about Android, but Microsoft had a patch for Windows days after the knowledge of the exploit was made public in the news.

I would imagine that Android is also patched, but you may want to contact your vendor for information.

[Craig H]

I probably didn't notice it then. Still, wouldn't Netgear, Motorola, or any other router or modem manufacturer issue a firmware or software update?

[J.T.]

4 minutes ago, Craig H said:

I probably didn't notice it then. Still, wouldn't Netgear, Motorola, or any other router or modem manufacturer issue a firmware or software update?

You can always contact the vendor of your equipment or look on their website to see if a firmware update has been issued.. 

Unless you're renting the equipment and your internet provider silently pushed the update to your equipment, you'll have to manually update the firmware on your shizzle.

There should be info and instructions on how to get that done in the owner's manuals of the items.

[Lamp, broken circa 1988]

Two things.

1) Android wont patch until November 6th. This issue is rolled up in their OS-wide security update, and rather perplexingly they chose not to hotfix it at all, despite Android phones being among the most susceptible to remote code execution.

2) Funny story: I get my internet through Spectrum, and we have their Modem And Phone thing. The company who makes it has basically responded with "man idk if someone breaks our actual stuff we'll fix it but not a moment sooner." Shout out to Arris, who are apparently WPA2-truthers.

[Ryan]

My modem's been going in an out and being stupid all the last week, so maybe they did something or just hate me.

[tbarrie]

14 hours ago, BL88 said:

Two things.

1) Android wont patch until November 6th. This issue is rolled up in their OS-wide security update, and rather perplexingly they chose not to hotfix it at all, despite Android phones being among the most susceptible to remote code execution.

Yeah, I'm not impressed with the lack of urgency Google is treating this with. And as I understand, when and whether a specific device actually gets the update is up to the manufacturers. So we could be waiting a lot longer for a fix.

[Zimbra]

AT&T at least has gotten their shit together with pushing out the monthly security updates immediately, but I can't speak for other carriers.

[Technico Support]

On 10/26/2017 at 9:05 AM, tbarrie said:

Yeah, I'm not impressed with the lack of urgency Google is treating this with. And as I understand, when and whether a specific device actually gets the update is up to the manufacturers. So we could be waiting a lot longer for a fix.

Google gives no fucks.  What are you going to do, switch to a Microsoft phone?  lolololol

"Don't be evil" my sweet ass.

[tbarrie]

Bumping this thread to say that my Samsung phone finally got a security update a couple of days ago, but when I checked the security patch level afterwards, it read Nov 1. Apparently it's the Nov 6 patch that fixes Krack. (And it seems even Nexi and Pixels didn't get that until December.) My Samsung tablet still has a security patch level of Aug 1.

Anybody know of a manufacturer who actually pushed out the Nov 6 patch in reasonable time? Might affect my next purchase.

[J.T.]

Well, I have to retract my previous statement.  Department of the Army issued a memo today saying that it is officially taking Kapersky off of its Approved Software List after a recommendation by NSA, so I uninstalled Kapersky and replaced it with Panda's security suite.

NSA believes that Kapersky Labs is trading state funding from Moscow in exchange for granting superuser access to its software to the FSB.

If Kapersky really is cooperating with the Russian Government and is giving them back door access to systems through their AV, it is probably one of the dumbest moves a software company has ever made.  How are you going to do business internationally if other countries believe that your shit is spyware coopted by a foreign power?

[Raziel]

How is Panda, because McAfee is starting to really bug the shit out of me since the last update and not whitelisting shit properly, and Norton blows, so I'm in the market?  

[Technico Support]

I never trusted Kaspersky.  I've seen enough episodes of Cyberwar on Vice to understand that all Russia's government agencies, cyber criminals, businesses, and the mob are, in the immortal words of Vncent Kennedy McMahon, "in cahoots." 

[J.T.]

1 hour ago, Raziel403 said:

How is Panda, because McAfee is starting to really bug the shit out of me since the last update and not whitelisting shit properly, and Norton blows, so I'm in the market?  

It does what it's supposed to do.  My review of Panda would not exactly be glowing, but the freeware version keeps shit off of your computer and that's all I ask of it right now.

1 hour ago, Technico Support said:

I never trusted Kaspersky.  I've seen enough episodes of Cyberwar on Vice to understand that all Russia's government agencies, cyber criminals, businesses, and the mob are, in the immortal words of Vncent Kennedy McMahon, "in cahoots." 

Eh, you could almost say the same about nearly any software company, although you still have see a healthy amount of tradtional hacker skepticism of government benevolence in US software companies and even in the government.  I am a good example.

If anything, this has caused me to look at Kaspersky Labs in a new light.  They were the ones that tracked down and decompiled the Stuxnet worm, so did they do it for the good of the internet or were they doing the bidding of the Russian government by helping an ally in Iran?

And then Kapersky apparently sat on its ass when Iraqi hackers rewrote Stux and used it against oil refineries in Saudi.. a US ally...

My netizen altruism has taken a huge blow.

[Robert S]

I am too lazy to open a new thread, but now all your PCs (and smartphones) are fucked:

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

The second one is much less severe, on the other hand it does not only effect x86 Intel CPUs but also the ARM architecture. Fixes for Meltdown are available, though some benchmarks (done with Linux as there it's much easier to compare pre-fix and post-fix kernels) indicate severe effects on performance in certain scenarios. Fixes for Windows also seem to lead to compatibility problems with certain software, for example antivirus software.

And just for your amusement: Intel CEO Brian Krzanich sold half his Intel stock in December, long after Intel got informed about the issues, but obviously before they were published:

http://money.cnn.com/2018/01/04/technology/business/brian-krzanich-intel-shares/

[tbarrie]

Yeah, Krack was bad (and my fucking Samsung devices still haven't been patched for it), but it sounds like this is quite a bit worse.

[J.T.]

This is a good enough thread as any to discuss all things InfoSec and CommSec.

[tbarrie]

We need a mod to change the thread title to "Everything is fucked".

[Robert C]

Fun fact - Intel's corporate IT flags DVDVR as a security risk.

[Lamp, broken circa 1988]

lol just the other day, I was thinking "do I bump this thread with the spectre/meltdown stuff" and then got distracted or something and didn't post it at all. I learned about this on my way into physical therapy and just spent the whole time going "shit. shit. shit. shit." with every rep.

It's also worth noting that Microsoft's updates have already accounted for Meltdown in some respect, and since Meltdown is the easier one to use at the moment that's good news.

But really, this is such a huge problem that I'm not capable of freaking out at it simply because of the sheer scope of it. All you can really do is save money for a new PC and hope you're not a tasty enough target.

EDIT: Oh, and the fact that google outed this sure puts a different light on "why aren't they taking Krack so seriously?!" I just imagine it like, part of their department probably went "UHH EVERY PROCESSOR EVER MIGHT BE FUCKED, STAND BY" and didn't say anything for like a month while the Krack thing made the rounds.

[Robert S]

The biggest thing about Meltdown is that while now that it's out everyone is fixing what they can who knows what hackers and intelligence services around the world were doing with this for the 20+ years that the issue is out. I mean if two groups found the issue independently of each other the chance that attackers did so in the past is quite high.

[J.T.]

On ‎1‎/‎5‎/‎2018 at 11:38 PM, Robert C said:

Fun fact - Intel's corporate IT flags DVDVR as a security risk.

Back in the day, the board got hacked and every embedded hyperlink led to a malware upload.  Page has been flagged ever since.

[Craig H]

Oh boy... https://www.theverge.com/2018/1/9/16867068/microsoft-meltdown-spectre-security-updates-amd-pcs-issues

So, my friend's computer was likely affected by this. Microsoft Update downloaded and installed a patch for him and his computer has been fucked since. He has an AMD processor and it's a newer one. Basically, he goes to start his computer and he just gets the spinning circle of dots and that's it. He can physically restart his PC and then the same thing happens.