until that changes, airgap your weird hardware setups I guess
Also this is a perfect storm for lateral movement. USB-borne worms still work frighteningly well in small biz environments, especially ones with no centralized IT and people plugging printers directly into Windows desktops with admin perms. Here SnipVex is just a cherry on top-a nice, opportunistic payload for the growing class of infostealers targeting crypto wallets
This is a chronic problem with hardware vendors.
Source: Software developer for hardware companies, for over 30 years.
Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!
Not affiliated, just happy user, at least some companies seem to be able to deal with it, regardless if it's open source (my stack) or not (my wife's Apple-stack).
But I did some research before buying (including here on HN) and Brother printers were praised for being reliable and having no problems with Linux drivers.
But this process is still ongoing and lazy hardware vendors will continue to be lazy in their switch, if they have the option.
I don't necessarily disagree, but isn't this because of extremely bad firm/soft/hardware design by the printer companies that then have to be supported by the open source stack?
Maybe true, but no live trojans either, so it's ahead of the game already as I see it.
The steps are invariably:
- Turn it off then turn it back on again
- Force stop, clear your cache and cookies
- Disable AV and firewall then reinstall
If the user cannot be induced to follow this simple script, then we can never move past the most basic of troubleshooting sessions.
Because everyone knows that troubleshooting is about covering up the symptoms rather than diagnosing the root cause.
- chrome doesn’t work! (It was actually Microsoft word)
- my printer won’t print! (Out of paper)
- your program keeps crashing! (No, that’s the os reminding you of a security update)
Go look at the "build log" in your compromised jenkins server and download the (already compromised) build artifact and make sure it matches the mega.co.nz file?
Do you expect the average software engineer to be able to look at a .exe, pull up a disassembler, and know that all the assembly maps back to the source code?
I wouldn't be surprised if, in many cases, these companies just have whoever touched the code last run a build on their computer and ship that. (Which probably explains how some of the malware got there.)
That this system is so insecure as to be hit multiple times, I don't know how much stock anyone should put in "improved processes". This is a company who seems to have gone out of their way to create an insecure environment - probably out of some frustration, but all the same, insecure.
Given their lax security posture, can we really trust this promise? I'd demand, at minimum, a pinky swear.
Totally fills you with confidence.
My keyboard's drivers are hosted on "egnyte.com"
This is an afternoon's effort for the junior intern, but was "too hard" for these people.
Catch filter that can be trivially replaced in the field, firmware needs to be reset by an authorised repair center (yes there are workarounds but they aren’t official)
Also on windows their “drivers” install a ton of crap with them, even when you install the most basic version in their installer. When in fact they have go a driver which does exactly what it should and only installs a driver but then they don’t get that sweet spyware installed on your machine.
Never mind their network printer driver just failing to print half the time. Prints fine from my phone, on the same network right next to my PC but from my PC, FU.
Epson are not innocent in the chaos that is printers.
This may be the main thing to fix here, as it's very plausible that hacks happen again and again... by design.
Today it's an infected printer, tomorrow it will be a game on Steam.
It’s not, because that wasn’t the problem and would not have worked. For one, nothing indicates the $100K were extracted in one go, it looks like it was cumulative. For another, this malware isn’t directly sending coins, it’s just replacing addresses in your clipboard.
"You're sending $100k to L33tHaX0R, are you sure?"
But that would require the protocol to also have the ability to set friendly names against public addresses.
You could imagine a wallet that uses certificates for address validation. So a certificate owner could sign that they own a given public key. ( And sign with the public key to show they own that key too. )
Then that could go into a "verified recipients" section of the wallet, and you could set your wallet to only allow sending to verified recipients. ( Or only allow transactions over X to verified ).
Most crypto exchanges and merchants generate unique addresses per user/transaction, so this won't work. Moreover having a fixed address is bad for privacy because it makes it obvious what the recipient of a given transaction is.
Security isn't an absolute. You're not trying to stop all vectors, you're just trying to put up a barrier to trip up by far the most common and easy method.
In a world where everyone leaves their doors open all day, you're asking "Why shut and lock your door when an attacker could just smash your windows?"
Which it doesn’t, and changing it to do so is not a realistic option. If we’re dreaming up anything, then my suggestion would instead be for no one to be dishonest, or for everyone’s basic needs to be met so they don’t need money and to speculate on cryptocurrencies. I’m pretty confident either of those would happen before every way people routinely get swindled off their cryptocurrencies is solved.
Clipboard attacks are far easier, as most modern systems treat clipboard as a non-critical resource. Which is mind blowing if you ask me.
An app reading from clipboard must ring all sorts of alarms. Let alone writing to it.
You realize any sort of content editing app is going to be reading from clipboard? Most apps used on a daily basis are going to be reading from clipboard.
- An app running in the background listening to clipboard changes;
- An app without a focused/visible window reading clipboard;
- An app reading from clipboard without a corresponding user input (menu/hotkey)
All these should be detectable and controlled by the OS
But something like that would only be surprising if it was more than an obvious lazy asset flip.
The bigger question is, when they said:
> G Data's research showed that the Bitcoin address linked to SnipVex had received about 9.3 BTC, roughly $100,000
How big was the largest amount stolen?
It could be a few individuals with a lot of money in their unprotected software wallets, or it could be a lot of people with relatively smaller amounts stolen from each of them.
If you only have a couple hundred dollars worth of bitcoin and don’t intend to buy any more of it then it doesn’t make much sense to spend as much on a hardware wallet as those cost. But if you have like $500 of bitcoin then it starts to make more sense. Especially if you plan on buying more of it. And if you have over a $1,000 and are still using a software wallet you should really look into getting a hardware wallet ASAP IMHO.
They already do? Here's a random screenshot I found:
https://user-images.githubusercontent.com/4597798/33999728-3...
the details are blacked out, but you can make out that it shows the address label along with the full addresse
Absolute shit state we are in.
