HP’s Built-in Keystroke Logger

Many HP laptops have a built-in keylogger in their audio drivers according to computer security firm Modzero AG (via Ars’ Dan Goodin). Keyloggers record what you type, typically covertly, for the purposes of someone else getting access to that text data later on. In this case the researches did not find any malicious capability in the driver that uploads the recorded text to a remote location, but it is very easy to access the data coming out of the driver by anyone who has access to your computer.

It would make it very easy for a piece of malware on your computer to track what you type without jumping through extra steps.

That HP shipped this audio driver on their laptops to thousands or millions of customers since 2015 is very worrying.

You can test your HP laptop for this vulnerability by checking the list of affected models after the break or just delete these files if they’re installed on your computer:
C:\Users\Public\MicTray.log
C:\Windows\System32\MicTray64.exe
C:\Windows\System32\MicTray.exe

Continue reading “HP’s Built-in Keystroke Logger”

Typosquatting Package Managers

Fascinating attack on unmoderated package managers for programming libraries (via former TimeDoctor contributor, Vogon)  that would work just as well on unmoderated app stores:

In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems

[…]

So basically we create a fake package that has a similar name as a famous package on PyPi, Npmjs.com or rubygems.org. For example we could upload a package named reqeusts instead of the famous requests module.

It ends up being very successful:

In two empirical phases, exactly 45334 HTTP requests by 17289 unique hosts (distinct IP addresses) were gathered. This means that 17289 distinct hosts executed the program above and sent the data to the webserver which was analyzed in the thesis. The number of HTTP requests is for various reasons higher than the number of distinct IP addresses. The main reason is that pip executes the setup.py file twice on installation. Don’t ask me why.

Steam Website Leaking User Information

The Steam website was completely broken for several hours today. Attempting to load any page on the site would give you another user’s version of that page including any personal details. This was also happening in the desktop client. Users on several sites produced screenshots that included blacked-out versions of pages that had other users’ details such as their billing address and Steam usernames. For example, I was able to load other people’s shopping cart just by visiting the regular cart page. Unlike many other services, the login username on Steam is to be kept secret.

As of this writing, hours later, logging in to Steam via the website just takes you to a logged-out version of the Steam page. The SteamDB site (not affiliated with Valve or Steam) has written up a note about the outage and security leak with some assumptions about how it happened. I agree with their suggestion to not store credit card details with Steam, or any online vendor as Sony proved a few years ago when their online storefront was hacked.

Goodbye, Android

Rightfully scathing article from Vice’s Motherboard’s Lorenzo Franceschi-Bicchierai:

I’ve been antagonistic with Apple products ever since I was a teenager, when Apple used to try to shove its apps down my throat (cough iTunes cough) whenever I just wanted to watch a movie trailer on Quicktime. I never liked Apple’s walled garden and “we-control-everything” approach, and I particularly disliked Apple fanboys’ dumb “oh my god there’s a new iThing coming out” reverence and hysteria.

So when the original iPhone came out a few years ago, I swore in multiple heated discussions with friends and strangers that I’d never buy an iPhone. Since then, I’ve only owned Android phones. First a few HTC ones, now a Sony phone.

Well, I’m sick of it. And I’m ready to go to the dark side.

I love the Android users in the comments chiming in that rooting a device and installing a custom ROM is a reasonable thing to do for Android devices that receive no updates from their carriers and manufacturers.

The ability for devices to receive updates in a timely fashion is critical to having even the vaguest hint of security in our post-Snowden revelations world. Windows 10‘s silent update mechanism is a great step in that direction for end-user security. Google even does it for their Chrome browser. Everybody else needs to get on board with it.