Security Week 20: random numbers, 7-Zip vulnerability, Microsoft turns off WiFi Sense

Want to talk about entropy? I don't want to, but I have to, since one of the most important news of the week (and, surprisingly, the most popular news on Threatpost ) is about it. More precisely, about an impressive (if not later refuted) breakthrough in solving the problem of generating random numbers. The scientific work of researchers David Zuckerman and Eshan Chattopadhya of the University of Texas proves the possibility of generating random numbers of high quality from two sources of lower quality. To be more precise, this possibility was before - for example, about 10 years ago, the Belgian mathematician Jean Bourgein showed this. The problem with Burgeyne’s work was that these very “not very high-quality” sources were actually subject to rather high demands on the part of entropy, respectively, his research had a purely scientific value.

But in this case, the value can be quite practical: if it is simple, the new work will allow to get random numbers quickly and cheaply, reducing the chances of, say, hacking encrypted correspondence due to the vulnerability of the generation algorithm. The main requirement for two sources is the absence of correlations between them. In general, good (although extremely difficult to understand) news from the scientific front, which may well find application in cryptography, and not only in it. Reviews of scientific work in general are very positive , but, as correctly noted in this article by the BBC, the study does not offer anything fundamentally new. But the quality and speed of existing methods for generating random numbers can be improved.

Previous editions of the digest are available by tag .

Microsoft cuts down on Wi-Fi Sense technology
News Announcement on TechNet.
')
Technology Wi-Fi Sense, in general, gives good functionality. It allows you to give your friends or colleagues access to a Wi-Fi network you know, without transferring a password. By default, Windows automatically shares this information with your contacts in Outlook and Skype, and after a couple of clicks, you can share your wifi with your friends on Facebook. In general, it is quite a normal function, which really solves the problem just in the place where it does not exist. There is no problem distributing Wi-Fi to a couple of friends. It is much more difficult to distribute a password, for example, to restaurant visitors.



Be that as it may, last year Microsoft received a lot of “love” from users and media for this feature. However, against the background of other "improvements" in terms of collecting information in Windows 10, Wi-Fi Sense has become the maximum cherry on the cake. Anyway, the technology itself appeared even before Windows 10, in April 2014. Then nobody paid attention to her. In general, it didn’t happen: due to the rare use of the function, Microsoft decided to cancel it this week, limiting the automatic connection options to known open hotspots.

How justified in general is to criticize Microsoft for such "improvements"? On the one hand, the example of Wi-Fi Sense shows that it is becoming increasingly difficult for users to control the distribution of information about themselves. I personally don’t have contacts on Skype, and about half of the people I don’t want to talk about myself at all, much less share access to my hotspots. On the other hand, collecting user information is really needed to improve the quality of online services and develop new technologies. Everyone, not only Microsoft, does this, and for example, it’s quite normal for me that in the morning and in the evening my smartphone reports traffic jams on the way to work and home. Because he knows exactly where I live and work.

The development of these technologies will inevitably change the relationship between users and developers of online services and programs. How exactly is not very clear, and it is probably wrong to limit the collection of information too: it will be more difficult to develop new technologies. Perhaps the only thing I would like to ensure is the right of users to decide what information and where it is being sent. At a minimum - know what is going where. It turns out Wi-Fi Sense is a positive victim of a dispute about privacy: there were no lengthy trials and awkward legislation. It's just that the public made it clear to Microsoft that there are more losses than experimental features than good.

A vulnerability was discovered and closed in open-source 7-Zip archiver
News Research

Vulnerabilities in open-source projects are good (ok, bad word) in that you can always analyze where the problem came from and how it was fixed, right down to a specific line of code. Specialists at the research division of Cisco Talos discovered the incorrect operation of the 7-Zip archiver with the UDF format (not everyone already remembers, but this is the standard for rewritable CDs, and later for various types of DVDs). A feature of the format is the ability to use multiple partitions on one disk. As it turned out, this moment allows you to create a prepared image in UDF format, during the processing of which the archiver overflows the buffer and it becomes possible to execute arbitrary code.

Vulnerabilities in open-source are not very good because it is very difficult to assess the scale of the problem. Although this vulnerability is far from Heartbleed, many programs and even devices that somehow use the 7-Zip code can be affected. Everyone is recommended to upgrade to the latest, the 16th version of the archiver.

What else happened:
The base with millions of LinkedIn passwords (stolen, however, back in 2012) appeared on the black market, it is recommended to change the password in this service.

In Dell found under a hundred modifications of mobile blockers, distributed mainly through porn sites. Why am I not surprised?

In Tumblr, it is also advisable to change the password .

Antiquities:
"Hard-662"

Very dangerous resident virus, standardly recorded in the .COM files that are run. On Mondays at 6 p.m., it displays the text: “It's hard days days!” And erases 50 first sectors on all available disks. Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 69.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.