Security Alerts & News
by Tymoteusz A. Góral

History
#891 ASUS delivers BIOS and UEFI updates over HTTP with no verification
The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity.

The LiveUpdate toolkit is what you'd call bloatware or crapware, software prepacked on your computer that's already there when you boot up for the first time. Very few people are aware of its presence, and most of them think it should be there to begin with because it's provided by their laptop's manufacturer.

Unfortunately for ASUS customers, the company's official "bloatware" doesn't use the most secure mechanism to deliver updates, as US security researcher Morgan Gangwere has discovered.
#890 On her microphone's secret service: How spies, anyone can grab crypto keys from the air
In a paper published by the Association for Computing Machinery, researchers from Tel Aviv University have detailed how inexpensive kit can be used to harvest 4,096-bit encryption keys in just a few seconds and from distances of around 10 metres (33 feet).

These are the same boffins who hid a loop of wire and a USB radio dongle in a piece of pita bread last year and used it to steal keys over the air.

In their latest research, the team managed to pick up encryption keys using acoustics. As a computer's processor churns through the encryption calculations, the machine emits a high-frequency "coil whine" from the changing electrical current flowing through its components.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12