I picked up my work laptop yesterday because it was so slow, it was impossible to use with any reasonable speed. My computer repairman told me it was clogged up with viruses. He said Norton sucks, and said the free anti-virus program I use is the one he prefers (AVG). He warned that it was basically impossible to avoid them if you spent much time online — he compared them to potholes. He advised me to be vigilant about updating Java, Flash, and Adobe, because their vulnerabilities were the most popular point of entry for malware and viruses. That’s why I have a backup service — you never know when you’ll need it.
Oh, and by the way, did I mention tomorrow is the beginning of the Mercury retrograde?
Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.
Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware.
But he (Karsten Nohl) warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB standard’s bugs and pull existing vulnerable devices out of circulation. “It’s unfixable for the most part,” Nohl said at the time. “But before even starting this arms race, USB sticks have to attempt security.”