We have a great show today, mostly about what NOT to do! There are several manufacturers and providers, and HUNDREDS of products, that you need to avoid, including some big names like Intel, Adobe, Kaspersky and maybe Huawei. We don’t make these recommendations lightly because we know that if all of our listeners stop buying these products, it will hurt the business of legitimate companies. However, the nature and the scale of the vulnerabilities in these particular products leave no room for doubt – for now. Hopefully, more information comes to light in the future that can resurrect some of these products (except Adobe Flash, which should be removed from every computer everywhere, ASAP).
Raffael Marty is VP of security analytics at Sophos, and is responsible for all strategic efforts around security analytics for the company and its products. He is based in San Francisco, California. Marty is one of the world’s most recognized authorities on security data analytics, big data and visualization. His team at Sophos spans these domains to help build products that provide Internet security solutions to Sophos’ vast global customer base. Previously, Marty launched pixlcloud, a visual analytics platform, and Loggly, a cloud-based log management solution. With a track record at companies including IBM Research, ArcSight, and Splunk, he is thoroughly familiar with established practices and emerging trends in the big data and security analytics space. Marty is the author of Applied Security Visualization and a frequent speaker at academic and industry events. Zen meditation has become an important part of Raffy’s life, sometimes leading to insights not in data but in life.
Computers with Intel Chips
Hair of fire: 5 of 5
Like I said in our last few episodes – if you are buying a new computer for yourself or your company, STOP. Strongly recommend that you do not buy any computer with an Intel chip. I don’t make that recommendation lightly.
- Intel informed in July 2017 of the two variants of Spectre and the variant of Meltdown
- Intel has an architecture problem to fix (firmware fix not the same as hardware). NOTE: Other CPU makers have vulnerabilities to Spectre, but their patches seem to be working (http://www.zdnet.com/article/windows-10-update-microsofts-latest-bug-fixes-include-amd-reboot-patches/). Design of Intel chips seems to be the issue.
- STILL NOT FIXED (Intel completed it’s latest update on February 20, 2018 and sent it to computer manufacturers, now we wait for the computer Manufacturers to send the updates)!! We are *assuming* this update will be stable; the last one was not.
- Even if Intel patches these flaws, the ‘fix’ will be intentionally in conflict with the design of the physical chip and it’s firmware, which could create vulnerability, performance issues, unforeseen consequences.
- To truly fix the problem, Intel has to redesign chips, test them, produce them, and sell them to computer/smartphone manufactures, who then have to sell them to you. COULD TAKE YEARS!
List of vulerable computers:
Huawei (Wah- Way) and ZTE
Hair on fire= 1 of 5….make your own decision.
FBI, FBI, CIA and NSA say American citizens shouldn’t use Huawei phones. Investigating both on the commercial level (telecom equipment) since 2011
No actual exploits found; thin argument:
The U.S. government has been after Huawei and ZTE since 2011, when the House Intelligence Committee began an investigation of these two firms as telecommunications equipment suppliers. It ultimately found their cooperation with the Chinese authorities suspicious, though no specific backdoors in the equipment were discovered. Since the damaging report came out, however, Lenovo, a Chinese firm, acquired Chicago-based Motorola Mobility from Google — and, despite periodic noises from the Pentagon as well as U.S. and allied intelligence agencies that Lenovo devices pose a security risk, there is no visible pressure on carriers to stop selling Lenovo and Motorola phones.
Hair on fire= 5 out of 5
Time to kill all of your flash plugins. Why?
- Flash is being retired in just 2 years. Adobe ‘sunsetting’ it.
- Flash has ANOTHER brand new exploit (a.k.a. Zero Day)
- The exploit is REALLY BAD! Remote code execution. https://www.symantec.com/security_response/vulnerability.jsp?bid=102930
- In the wild https://arstechnica.com/information-technology/2018/02/theres-a-new-adobe-flash-0day-and-up-and-coming-hackers-are-exploiting-it/
But what about Netflix.com/HBO.com?
Don’t need flash on Firefox with any windows device. (HBO on Firefos still seems to be an issue, so use another browser)
How do you uninstall flash?
Hilarious Note: The certificate on the mac page is not good!
Chromebooks: (These instructions apply to Google Chrome on Windows, Mac, Linux, and Chrome OS.)
- Type chrome:plugins in the address bar to open the Plug-ins page.
- On the Plug-ins page that appears, find the “Flash” listing.
- To enable Adobe Flash Player, click the Enable link under its name.
- To disable Adobe Flash Player completely, click the Disable link under its name.
Or Google the search terms: “Uninstall Flash”
Hair on fire up to 3 of 5 – this is important
Still no hard evidence, but:
- Software is designed to transmit data back to it’s headquarters. “Our product detected known [Equation] malware on a user’s system. Later, on the same system, it also detected a (new) [non-Equation] backdoor originating from a pirated copy of Microsoft Office, and a [7-Zip] archive containing samples of previously unknown malware. After it detected them, our product sent the archive to our antivirus researchers for analysis.”: https://www.kaspersky.com/blog/internal-investigation-preliminary-results/19894/
- Can’t prove or disprove that some of this data is not personal info – the software can see everything.
Be aware, stay informed, and avoid the traps on the internet – listen to DIY Cyber Guy every week.
Raffy’s Blog: https://raffy.ch/blog