Daily Archives: March 10, 2020

Whisper App Exposes Entire History of Chat Logs, personal details and location

Posted on by

Whisper, the anonymous messaging app beloved by teens and tweens the world over, has a problem: it’s not as anonymous as we’d thought. The platform is only the latest that brands itself as private by design while leaking sensitive user data into the open, according to a damning Washington Post report out earlier today. According to the sleuths that uncovered the leak, “anonymous” posts on the platform—which tackle everything from closeted homosexuality, to domestic abuse, to unwanted pregnancies—could easily be tied to the original poster.

As is often the case, the culprit was a leaky bucket, that housed the platform’s entire posting history since it first came onto the scene in 2012. And because this app has historically courted a ton of teens, a lot of this data can get really unsavory, really fast. The Post describes being able to pull a search for users that listed their age as fifteen and getting more than a million results in return, which included not only their posts, but any identifying information they gave the platform, like age, ethnicity, gender, and the groups they were a part of—including groups that are centered around delicate topics like sexual assault.

Whisper told the Post that they’d shut down the leak once being contacted—a point that Gizmodo independently confirmed. Still, the company has yet to come around to cracking down on its less-than-satisfying policies surrounding location data. In 2014, Whisper was caught sharing this data with federal researchers as part of research on personnel stationed at military bases. In the years since then, it looks like a lot of this data is still up for grabs. While some law enforcement officials might need to get their hands on it, Gizmodo’s own analysis found multiple targeted advertising partners that are scooping up user location data as recently as this afternoon.

Source: Whisper App Exposes Entire History of Chat Logs: Report

Intel CPUs vulnerable to new LVI attacks, allows information injection

Posted on by

Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel CPUs.

While the attack has been deemed only a theoretical threat, Intel has released firmware patches to mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level in future generations.

A reverse Meltdown attack

To understand what an LVI attack is, users must first be aware of the Meltdown and Spectre attacks, and more particularly Meltdown.

Disclosed in January 2018, the Meltdown attack allowed an attacker running code on a CPU to read data from the CPU’s memory, while the CPU was processing “speculative” operations.

Speculative execution is a feature of all modern CPUs, one in which the CPU computes information in advance in an attempt to guess future results. The entire idea of speculative execution is to have the data ready for the CPU, if it ever needs it, and help improve the CPU’s speed and performance. Once data is not needed, it’s discarded. Meltdown and Spectre attacks target data while in this “transient” state, while waiting to be dismissed.

lvi-transient.png

The Meltdown and Spectre attacks were groundbreaking when they were first revealed in 2018, showing a major flaw in the designs of modern CPUs.

Based on the original attacks, academics around the world later expanded the original research and discovered an entire class of so-called “transient attacks” that also leaked data from CPUs in their “transient” speculative execution states.

Besides Meltdown and Spectre, other transient attacks were eventually discovered during the past two years, including the likes of Foreshadow, Zombieload, RIDL, Fallout, and LazyFP.

lvi-table.png

LVI’s position in all these attacks is, technically, of a reverse-Meltdown. While the original Meltdown bug allowed attackers to read an app’s data from inside a CPU’s memory while in a transient state, LVI allows the attacker to inject code inside the CPU and have it executed as a transient “temporary” operation, giving attackers more control over what happens.

lvi-steps.png

Tests performed by the two research teams — who found the LVI attack independently from one another — have been successful at proving the attack’s broad impact.

[…]

Current LVI attack demos rely on running malicious code on a computer, suggesting that local access is needed — such as delivering malicious code to the target via malware.

However, a remote attack is also possible via JavaScript, by tricking users into accessing a malicious site — similar to the original Meltdown attack, which could also be carried out via JavaScript.

[…]

While a change in the silicon design will eventually come with future CPUs, currently, Intel has prepared software-based mitigations, in the form of CPU firmware (microcode) updates.

However, according to preliminary tests, these mitigations come with a severe performance impacted that may slow down computations from 2 to 19 times, depending on the number of mitigations system administrators decide to apply to their CPUs.

Currently, many administrators are expected to skip these patches, primarily because of the severe performance impact.

Source: Intel CPUs vulnerable to new LVI attacks | ZDNet

New type of pulsating star discovered

Posted on by

A star that pulsates on just one side has been discovered in the Milky Way about 1500 light years from Earth. It is the first of its kind to be found and scientists expect to find many more similar systems as technology to listen inside the beating hearts of stars improves.

[…]

Stars that pulsate have been known in astronomy for a long time. Our own Sun dances to its own rhythms. These rhythmic pulsations of the stellar surface occur in young and in old stars, and can have long or short periods, a wide range of strengths and different causes.

There is however one thing that all these stars had thus far in common: the oscillations were always visible on all sides of the star. Now an international team, including researchers from the University of Sydney, has discovered a star that oscillates largely over one hemisphere.

00:00
-00:15
Artist’s impression of pulsating star. Credit: Gabriel Pérez Díaz (IAC)

The scientists have identified the cause of the unusual single-sided : the star is located in a binary star system with a red dwarf. Its close companion distorts the oscillations with its . The clue that led to its discovery came from citizen scientists poring over public data from NASA’s TESS satellite, which is hunting for planets around distant stars.

The orbital period of the binary system, at less than two days, is so short that the larger star is being distorted into a tear-drop shape by the gravitational pull of the companion.

[…]

To their surprise the team observed that the strength of the pulsations depended on the aspect angle under which the star was observed, and the corresponding orientation of the star within the binary. This means the pulsation strength varies with the same period as that of the binary.

“As the binary stars orbit each other we see different parts of the pulsating star,” said Dr. David Jones at the Instituto de Astrofisica de Canarias and co-author of the study. “Sometimes we see the side that points towards the companion star, and sometimes we see the outer face.”

This is how the astronomers could be certain that the pulsations were only found on one side of the star, with the tiny fluctuations in brightness always appearing in their observations when the same hemisphere of the star was pointed towards the telescope.

Source: New type of pulsating star discovered

Avast’s and AVG AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping

Posted on by

Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an AntiTrack user’s connections to even the most heavily secured websites.

This is because when using AntiTrack, your web connections are routed through the proxy software so that it can strip out tracking cookies and similar stuff, enhancing your privacy. However, when AntiTack connects to websites on your behalf, it does not verify it’s actually talking to the legit sites. Thus, a miscreant-in-the-middle, between AntiTrack and the website you wish to visit, can redirect your webpage requests to a malicious server that masquerades as the real deal, and harvest your logins or otherwise snoop on you, and you’d never know.

The flaws affect both the Avast and AVG versions of AntiTrack, and punters are advised to update their software as a fix for both tools has been released.

Eade has been tracking the bug since August last year.

“The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use,” he said. “If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.”

Source: Avast’s AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping • The Register