Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown, Spectre, Apple, CoffeeMiner, EMC, VMware and More

Filed under
  • NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says

    The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

  • spectre and the end of langsec

    Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the "safe" languages had a compelling value that would be evident eventually: that "another world is possible".

    In particular I found solace in "langsec", an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

    The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google's Caja compiler to isolate components from each other, even when they run in the context of the same web page.

    But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a "safe" language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser's password manager, or bitcoin wallets.

  • Is Apple Even Paying Attention To macOS Security Anymore?

    A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

  • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
  • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

    Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

  • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

    After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

  • Prosecutors say Mac spyware stole millions of user images over 13 years

    An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

  • EMC, VMware security bugs throw gasoline on cloud security fire

    While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

  • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

    Basically, it's pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

  • How to increase Linux security by disabling USB support

    This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don't need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you'll find yourself in trouble trying to input anything via keyboard or mouse.

More in Tux Machines

Radeon GPUs Are Increasingly Competing With NVIDIA GPUs On Latest RadeonSI/RADV Drivers

As it's been a few weeks since last delivering a modest Linux GPU comparison and given the continuously evolving state of the Linux kernel Git tree as well as the Mesa project that houses the RadeonSI OpenGL and RADV Vulkan drivers, here are our latest benchmarks showing the current state of the AMD Radeon open-source Linux graphics driver performance relative to NVIDIA's long-standing and high-performance but proprietary driver using several different graphics cards. Read more

AMD And CTS Labs: A Story Of Failed Stock Manipulation

We have attempted to contact Jessica Schaefer from Bevel PR, the listed PR firm on the vulnerability disclosure website, only to be greeted by a full voicemail inbox. We attempted to contact both Bevel PR and CTS Labs by email and inquire about the relationship between CTS and Viceroy, and provided them with ample time to respond. They did not respond to our inquiry. So, let's look at Viceroy Research. According to MoneyWeb, Viceroy Research is headed by a 44-year-old British citizen and ex-social worker, John Fraser Perring, in conjunction with two 23-year-old Australian citizens, Gabriel Bernarde and Aidan Lau. I wonder which of these guys is so fast at typing. Viceroy Research was the group responsible for the uncovering of the Steinhoff accounting scandal, about which you can read more here. After successfully taking down Steinhoff, it tried to manufacture controversy around Capitec Bank, a fast-growing South African bank. This time it didn't work out so well. The Capitec stock price dropped shortly and quickly recovered when the South African reserve bank made a statement that Capitec's business is sound. Just a week ago Viceroy attempted to do the same thing with a German company called ProSieben, also with mixed success, and in alleged breach of German securities laws, according to BaFin (similar to the SEC). Now, it appears it is going after AMD, though it looks to be another unsuccessful attack. Investor Takeaway After the announcement of this news, AMD stock generally traded sideways with slight downward movement, not uncommon for AMD in general. Hopefully this article showed you that CTS's report is largely nonsense and a fabrication with perhaps a small kernel of truth hidden somewhere in the middle. If the vulnerabilities are confirmed by AMD, they are likely to be easily fixed by software patches. If you are long AMD, stay long. If you are looking for an entry point, this might be a good opportunity to use this fake news to your advantage. AMD is a company with a bright future if it continues to execute well, and we see it hitting $20 per share by the end of 2018. Read more

Canonical Officially Announces Mozilla's Firefox as a Snap App for Ubuntu Linux

The Firefox Snap package appears to be maintained by Mozilla, which allows Linux users to test drive the latest features of their Quantum browser on multiple GNU/Linux distributions that support Canonical's Snappy universal binary format. Developed by Canonical, the Snap universal application packaging format for Linux lets Linux users enjoy the most recent release of a software product as soon as it's released upstream. It's secure by design and works natively on multiple popular Linux OSes. Read more

today's leftovers