How to: Firmware Update the AMD Radeon RX 5600 XT
MSI Radeon RX 5600 XT Gaming Z review
Sapphire Pulse Radeon RX 5600 XT OC review
ASUS STRIX Radeon RX 5600 XT TOP review
Gigabyte Radeon RX 5600 XT Gaming OC review
Arctic Liquid Freezer II 280 liquid cooler review
Promo: Windows 10 Pro licenses for under 10 USD
Team Group MP33 NVMe 512 GB SSD Review
ADATA SE800 1TB Portable SSD review
Promo: Microsoft Office 2016 for $29.82
Asus releases Live Update software with security measures
Yesterday the news broke that Asus Live Update software installed on laptops and PCs from the Taiwanese manufacturer contained a backdoor between June and November 2018. Thus far it has been silent at the ASUS camp.
Malicious folks this way could install malware on specific systems. ASUS, however, updated its Live Update software and has released a new version with security measures. The manufacturer is staying awfully silent in light of this incident in terms of content or warning published on their websites, especially considering that over 500.000 could have been affected. Version 3.6.8 of the Live Update software prevents manipulation by third parties. Asus also mentions that end-to-end encryption is now being applied in the update software and that security measures have been taken on the update servers to prevent similar attacks in the future.
ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups
Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers.
ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has reached out to affected users and provided assistance to ensure that the security risks are removed.
ASUS has also implemented a fix in the latest version (version 3.6.8) or the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form or software updates or other means, and implemented an enhanced end-to -end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps-for-Win10/ASUSDiagnosticTool/ASDT-v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.
More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html
ASUS Releases 32-inch ROG Strix XG32VQR 1440p 144Hz FreeSync 2 HDR - 11/28/2018 05:15 PM
ASUS is now listing the new 32-inch ROG Strix XG32VQR display, offering users a large FreeSync 2 HDR compliant VA panel with a wide color gamut (125% sRGB) and a high 144Hz maximum refresh rate. The ...
ASUS Releases ROG Aura RGB Terminal - 05/29/2018 07:51 AM
ASUS has released a Four-port addressable RGB controller with ROG Halo and Aura Sync which you can hook up to your compatible motherboard and further expand your RGB bling on. With ASUS Halo you can ...
ASUS Releases TUF Gaming FX504 Gaming Laptop - 04/11/2018 07:52 AM
FX504 is the first laptop in the new TUF Gaming Series. To ensure system longevity and stable performance, FX504 features the patented Anti-Dust Cooling (ADC), and it's powered by the latest-generat...
ASUS Releases Budget VP228QG Gaming Monitor - 04/03/2018 07:04 AM
ASUS launches a tiny 21.5 inch Full HD, 1ms, 75Hz TN monitor. It's Adaptive-Sync/FreeSync compatible. VP228QG 21.5" Full HD monitor with 100,000,000:1 high contrast ratio and eliminates sm...
ASUS Releases VG255H Console Gaming Monitor - 24.5”, FHD (1920x1080) 1ms - 03/28/2018 07:45 AM
Built for the console and PC gaming experience, the TN panel based 24.5” ASUS VG255H Full HD gaming monitor features a fast 1ms response time and 75Hz refresh rate. ...
fantaskarsef
Senior Member
Posts: 11156
Joined: 2014-07-21
Senior Member
Posts: 11156
Joined: 2014-07-21
#5654336 Posted on: 03/26/2019 04:06 PM
Oh the irony of releasing a new update software to patch your malware ridden update software...
At least they did something. Now, months after. Still not going to install their rubbish for my Asus board.
Oh the irony of releasing a new update software to patch your malware ridden update software...
At least they did something. Now, months after. Still not going to install their rubbish for my Asus board.
tsunami231
Senior Member
Posts: 9864
Joined: 2003-05-24
Senior Member
Posts: 9864
Joined: 2003-05-24
#5654357 Posted on: 03/26/2019 05:24 PM
some how I think this effect more then the thousands that was reported.
some how I think this effect more then the thousands that was reported.
Kaill
Member
Posts: 95
Joined: 2015-12-10
Member
Posts: 95
Joined: 2015-12-10
#5654379 Posted on: 03/26/2019 06:28 PM
so the link for the tool is not working
so the link for the tool is not working
Venix
Senior Member
Posts: 1043
Joined: 2016-08-01
Senior Member
Posts: 1043
Joined: 2016-08-01
#5654595 Posted on: 03/27/2019 09:31 AM
So they released an uninstaller?
So they released an uninstaller?
BetA
Senior Member
Posts: 4198
Joined: 2008-03-03
Senior Member
Posts: 4198
Joined: 2008-03-03
#5655115 Posted on: 03/28/2019 02:44 PM
UPDATE2:
A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network.
One password, found in an employee repo on the code sharing, allowed the researcher to access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners. The repo in question was owned by an Asus engineer who left the email account’s passwords publicly exposed for at least a year. The repo has since been wiped clean, though the GitHub account still exists.
“It was a daily release mailbox where automated builds were sent,” said the researcher, who goes by the online handle SchizoDuckie, in a message to TechCrunch. Emails in the mailbox contained the exact internal network path where drivers and files were stored.
The researcher shared several screenshots to validate his findings.
The researcher didn’t test how far the account access could have given him, but warned it could have been easy to pivot onto the network. “All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack,” he said.
The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. The app was signed with an Asus-issued certificate and hosted on the company’s download servers. More than a million users were pushed the backdoored code, researchers have estimated. Asus confirmed the attack in a statement and released a patched version.
Through the company’s dedicated security email, the researcher warned Asus of the exposed credentials. Six days later, he could no longer log in to the mailbox and assumed the matter was resolved.
But he found at least two other cases of Asus engineers exposing company passwords on their GitHub pages.
One Asus software architect based in Taiwan — where the company has its headquarters — left a username and password in code on his GitHub page. Another Taiwan-based data engineer also had credentials in his code.
“Companies have no clue what their programmers do with their code on GitHub,” said the researcher.
A day after we alerted Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean. Yet when reached, Asus spokesperson Randall Grilli told TechCrunch that the computer maker was “unable to verify the validity” of the claims in the researcher’s emails. “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks,” he added.
Granted, this isn’t an issue limited to Asus. Other companies have been put at risk by exposed and leaked credentials or hardcoded secret keys. Last week, academics found more than 100,000 public repos storing cryptographic keys and other secrets.
Among the most famous examples of exposed credentials was Uber, in which an engineer mistakenly left cloud keys in a GitHub repository, which when discovered and exploited by hackers was used to pilfer data on 57 million users. Uber was later ordered to pay $148 million in a data breach settlement.
But given Asus knew of the issues months ago amid a backdoor threat that affected more than a million users, you would have hoped for a better, more active response.
https://techcrunch.com/2019/03/27/asus-hacking-risk/
UPDATE2:
Asus was warned of hacking risks months ago, thanks to leaky passwords
A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network.
One password, found in an employee repo on the code sharing, allowed the researcher to access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners. The repo in question was owned by an Asus engineer who left the email account’s passwords publicly exposed for at least a year. The repo has since been wiped clean, though the GitHub account still exists.
“It was a daily release mailbox where automated builds were sent,” said the researcher, who goes by the online handle SchizoDuckie, in a message to TechCrunch. Emails in the mailbox contained the exact internal network path where drivers and files were stored.
The researcher shared several screenshots to validate his findings.
The researcher didn’t test how far the account access could have given him, but warned it could have been easy to pivot onto the network. “All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack,” he said.
The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. The app was signed with an Asus-issued certificate and hosted on the company’s download servers. More than a million users were pushed the backdoored code, researchers have estimated. Asus confirmed the attack in a statement and released a patched version.
Through the company’s dedicated security email, the researcher warned Asus of the exposed credentials. Six days later, he could no longer log in to the mailbox and assumed the matter was resolved.
But he found at least two other cases of Asus engineers exposing company passwords on their GitHub pages.
One Asus software architect based in Taiwan — where the company has its headquarters — left a username and password in code on his GitHub page. Another Taiwan-based data engineer also had credentials in his code.
“Companies have no clue what their programmers do with their code on GitHub,” said the researcher.
A day after we alerted Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean. Yet when reached, Asus spokesperson Randall Grilli told TechCrunch that the computer maker was “unable to verify the validity” of the claims in the researcher’s emails. “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks,” he added.
Granted, this isn’t an issue limited to Asus. Other companies have been put at risk by exposed and leaked credentials or hardcoded secret keys. Last week, academics found more than 100,000 public repos storing cryptographic keys and other secrets.
Among the most famous examples of exposed credentials was Uber, in which an engineer mistakenly left cloud keys in a GitHub repository, which when discovered and exploited by hackers was used to pilfer data on 57 million users. Uber was later ordered to pay $148 million in a data breach settlement.
But given Asus knew of the issues months ago amid a backdoor threat that affected more than a million users, you would have hoped for a better, more active response.
https://techcrunch.com/2019/03/27/asus-hacking-risk/
K.S.
Senior Member
Posts: 2053
Joined: 2009-06-07
Senior Member
Posts: 2053
Joined: 2009-06-07
#5655207 Posted on: 03/28/2019 07:01 PM
they're giving away kaspersky for free I hear ... ynark
they're giving away kaspersky for free I hear ... ynark
alanm
Senior Member
Posts: 9025
Joined: 2004-05-10
Senior Member
Posts: 9025
Joined: 2004-05-10
#5655257 Posted on: 03/28/2019 09:44 PM
Dragging their feet for months after being informed.... but instant action when it became public. What a disgrace.
Dragging their feet for months after being informed.... but instant action when it became public. What a disgrace.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 4198
Joined: 2008-03-03
got an UPATE posted here:
https://forums.guru3d.com/threads/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers.425920/
scroll down, theres teh Update.
cheers