Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown, Spectre, Apple, CoffeeMiner, EMC, VMware and More

Filed under
Security
  • NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says

    The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

  • spectre and the end of langsec

    Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the "safe" languages had a compelling value that would be evident eventually: that "another world is possible".

    In particular I found solace in "langsec", an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the langsec.org website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

    The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google's Caja compiler to isolate components from each other, even when they run in the context of the same web page.

    But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a "safe" language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser's password manager, or bitcoin wallets.

  • Is Apple Even Paying Attention To macOS Security Anymore?

    A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

  • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
  • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

    Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

  • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

    After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

  • Prosecutors say Mac spyware stole millions of user images over 13 years

    An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

  • EMC, VMware security bugs throw gasoline on cloud security fire

    While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

  • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

    Basically, it's pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

  • How to increase Linux security by disabling USB support

    This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don't need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you'll find yourself in trouble trying to input anything via keyboard or mouse.

More in Tux Machines

Fedora: Updated F27 Live ISOs, Synergy 2.0, Bodhi 3.2.0, Announcing Flapjack

  • F27-20180112 Updated Live Isos Released
    The Fedora Respins SIG is pleased to announce the latest release of Updated 27 Live ISOs, carrying the 4.14.13-300 kernel.
  • synergy-2.0.0 is in Fedora updates-testing
    I have packed the latest stable version, 2.0.0, for Fedora 27, 26 and EPEL 7. No EPEL 6 update this time as it requires CXX14, which EL6 does not provide.
  • Bodhi 3.2.0 released
  • Announcing Flapjack
    Here’s a post about a tool that I’ve developed at work. You might find it useful if you contribute to any desktop platform libraries that are packaged as a Flatpak runtime, such as GNOME or KDE. Flatpak is a system for delivering desktop applications that was pioneered by the GNOME community. At Endless, we have jumped aboard the Flatpak train. Our product Endless OS is a Linux distribution, but not a traditional one in the sense of being a collection of packages that you install with a package manager; it’s an immmutable OS image, with atomic updates delivered through OSTree. Applications are sandboxed-only and Flatpak-only.
  • Flapjack Helps Developers Work On Components Inside Flatpak

Security Leftovers

  • Security updates for Wednesday
  • Latvia's e-health system hit by cyberattack from abroad
    Latvia said its new e-health system was on Tuesday hit by a large-scale cyberattack that saw thousands of requests for medical prescriptions pour in per second from more than 20 countries in Africa, the Caribbean and the European Union. No data was compromised, according to health officials, who immediately took down the site, which was launched earlier this month to streamline the writing of prescriptions in the Baltic state. "It is clear that it was a planned attack, a widespread attack—we might say a specialised one—as it emanated from computers located in various different countries, both inside the European Union and outside Europe," state secretary Aivars Lapins told reporters. "We received thousands of requests in a very short space of time. That's not the normal way the system works," he said, adding that an investigation is under way.
  • Linux Lite Developer Creates Automated Spectre/Meltdown Checker for Linux OSes
    The developer of the Ubuntu-based Linux Lite distribution has created a script that makes it easier for Linux users to check if their systems are vulnerable to the Meltdown and Spectre security flaws. As we reported last week, developer Stéphane Lesimple created an excellent script that would check if your Linux distribution's kernel is patched against the Meltdown and Spectre security vulnerabilities that have been publicly disclosed earlier this month and put billions of devices at risk of attacks.
  • Purism Releases Meltdown and Spectre Patches for Its Librem Linux Laptops
    Purism, the computer technology company behind the privacy-focused, Linux-based Librem laptops and the upcoming smartphone, released patches for the Meltdown and Spectre security vulnerabilities. The company was one of the first Linux OEMs and OS vendor to announce that it's working on addressing both the Meltdown and Spectre security exploits on his Linux laptops. Meltdown and Spectre have been unearthed in early January and they are two severe hardware bugs that put billions of devices at risk of attacks.
  • Facebook Awards Security Researchers $880,000 in 2017 Bug Bounties
    Facebook is hardly a small organization, with large teams of engineers and security professionals on staff. Yet even Facebook has found that it can profit from expertise outside of the company, which is why the social networking giant has continued to benefit from its bug bounty program. In 2017, Facebook paid out $880,000 to security researchers as part of its bug bounty program. The average reward payout in 2017 was $1,900, up from $1,675 in 2016.
  • Multicloud Deployments Create Security Challenges, F5 Report Finds

Arch Linux vs. Antergos vs. Clear Linux vs. Ubuntu Benchmarks

Last week when sharing the results of tweaking Ubuntu 17.10 to try to make it run as fast as Clear Linux, it didn't take long for Phoronix readers to share their opinions on Arch Linux and the request for some optimized Arch Linux benchmarks against Clear Linux. Here are some results of that testing so far in carrying out a clean Arch Linux build with some basic optimizations compared to using Antergos Minimal out-of-the-box, Ubuntu Server, and Clear Linux. Tests this time around were done on the Intel Core i9 7980XE system with ASUS PRIME X299-A motherboard, 4 x 4GB DDR4-3200 Corsair memory, GeForce GTX 750, and Corsair Force MP500 120GB NVMe solid-state drive. The system with 18 cores / 36 threads does make for quick and easy compiling of many Linux packages. Read more

Mozilla Leftovers

  • Making WebAssembly even faster: Firefox’s new streaming and tiering compiler
    People call WebAssembly a game changer because it makes it possible to run code on the web faster. Some of these speedups are already present, and some are yet to come. One of these speedups is streaming compilation, where the browser compiles the code while the code is still being downloaded. Up until now, this was just a potential future speedup. But with the release of Firefox 58 next week, it becomes a reality. Firefox 58 also includes a new 2-tiered compiler. The new baseline compiler compiles code 10–15 times faster than the optimizing compiler.
  • Firefox Telemetry Use Counters: Over-estimating usage, now fixed
    Firefox Telemetry records the usage of certain web features via a mechanism called Use Counters. Essentially, for every document that Firefox loads, we record a “false” if the document didn’t use a counted feature, and a “true” if the document did use that counted feature.
  • Firefox 58 new contributors
  • Giving and receiving help at Mozilla
    This is going to sound corny, but helping people really is one of my favorite things at Mozilla, even with projects I have mostly moved on from. As someone who primarily works on internal tools, I love hearing about bugs in the software I maintain or questions on how to use it best. Given this, you might think that getting in touch with me via irc or slack is the fastest and best way to get your issue addressed. We certainly have a culture of using these instant-messaging applications at Mozilla for everything and anything. Unfortunately, I have found that being “always on” to respond to everything hasn’t been positive for either my productivity or mental health. My personal situation aside, getting pinged on irc while I’m out of the office often results in stuff getting lost — the person who asked me the question is often gone by the time I return and am able to answer.
  • Friend of Add-ons: Trishul Goe
    Our newest Friend of Add-ons is Trishul Goel! Trishul first became involved with Mozilla five years when he was introduced to the Firefox OS smartphone. As a JavaScript developer with an interest in Mozilla’s mission, he looked for opportunities to get involved and began contributing to SUMO, L10n, and the Firefox OS Marketplace, where he contributed code and developed and reviewed apps. After Firefox OS was discontinued as a commercial product, Trishul became interested in contributing to Mozilla’s add-ons projects. After landing his first code contributions to addons.mozilla.org (AMO), he set about learning how to develop extensions for Firefox using WebExtensions APIs. Soon, he began sharing his knowledge by leading and mentoring workshops for extension developers as part of Mozilla’s “Build Your Own Extension” Activate campaign.