Security: Updates, MDS, WhatsApp and 'The Cloud'
-
Security updates for Tuesday
-
Understanding the MDS vulnerability: What it is, why it works and how to mitigate it
MDS vulnerabilities explained in ~three minutes
-
A deeper look at the MDS vulnerability
In our last post, Jon Masters offered an overview of the MDS vulnerability. In this video, Jon provides a ddeper technical explanation of the vulnerability.
-
SUSE addresses Microarchitectural Data Sampling Vulnerabilities
Researchers have identified new CPU side channel information leak attacks against various microarchitectural buffers used in Intel CPUs. These attacks allows local attackers to execute code to read out portions of recently read or written data by using speculative execution. Local attackers can be on the same OS or running code on the same thread of a CPU core, which could happen for other VMs on the same physical host.
Intel, together with hardware and operating system vendors, have worked over recent months to prepare mitigations for these vulnerabilities, also known as RIDL, Fallout and ZombieLoadAttack. -
MDS: The Newest Speculative Execution Side-Channel Vulnerability [Ed: Faked performance means no security and since there are no rules associated with this, there will be no multi-billion-dollar fines, no mass recalls etc. What an awful industry.]
Intel just disclosed a new speculative execution side-channel vulnerability in its processors similar to the existing Spectre/L1TF vulnerabilities. This new disclosure is called the Microarchitectural Data Sampling (MDS).
The Microarchitectural Data Sampling vulnerability was discovered by Intel researchers and independently reported as well by external researchers and is said to be similar to existing speculative execution side channel vulnerabilities. Fortunately, some current-generation CPUs are not vulnerable and Intel says all new processors moving forward will be mitigated. For those processors affected, microcode/software updates are said to be coming.
-
Update WhatsApp now to avoid spyware installation from a single missed call
-
Update WhatsApp Now, Adobe Warning Creative Cloud Users with Older Apps, Kernels Older than 5.0.8 Are Vulnerable to Remote Code Execution, Schools in Kerala Choose Linux and MakeOpenStuff Is Launching the HestiaPi Touch Smart Thermostat
A vulnerability in WhatsApp allows spyware to be installed from a single unanswered phone call. The Verge reports that the "spyware, developed by Israel's secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp. Once installed, the spyware can turn on a phone's camera and mic, scan emails and messages, and collect the user's location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole."
-
How WhatsApp exposed its users to a spyware attack
Facebook-owned firm confirms that a vulnerability in WhatsApp opened doors for a spyware attack that installs a malicious code on victim's smartphone...
-
Modern IT security: Sometimes caring is NOT sharing
The last decade of technological advances has seen a race to reduce costs. Migration to virtualized systems quickly eclipsed traditional bare-metal deployments. At some point, virtualization will be out-paced by containerization. While the physical footprint of an organization’s compute resources may have been reduced, the complexity of managing those environments certainly has not.
Back in the Stone Age of IT operations and information security, everyone’s attention was focused on the corporate datacenter and the physical machines that lived there. It was simpler to understand where security controls needed to be applied. You had one giant cable coming into the building from "the internet," so you’d throw firewalls, Information Data Leak Prevention/Detection (IDP/IDS), proxies, load balancers and other tools in-line before that channel was split to the larger corporate network. This Castle-and-Moat model of protection worked fairly well (ignoring the insider threat) for decades.
[...]
Virtualization evolved into "the cloud". TL/DR for everyone out there: the cloud is just someone else’s computer. You used to run it on your server in your datacenter. Move it "to the cloud" and it now runs on Frank’s Discount Cloud and actually sits in his basement in Peoria, Illinois. Cloud-enabled individuals and businesses to have a low-cost means to quickly deploy systems and applications. It offered benefits around high availability and other features you’d typically see deployed in Enterprise-class organizations. Instead of ordering physical boxes from your favourite retailer or OEM and having that take weeks to be delivered and weeks more to be configured and deployed, now you call up Frank (say "Hi!" to his mom while she’s down in the server room doing Frank’s laundry) and Frank can have you up and running with computing and storage resources in minutes. Cloud lets you "outsource" a lot of technology and skills you might not have in-house (or have any interest in managing yourself).
- Login or register to post comments
- Printer-friendly version
- 9841 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
Latest on MDS
"ZombieLoad": a new set of speculative-execution attacks
Ubuntu updates to mitigate new Microarchitectural Data Sampling (MDS) vulnerabilities
A Slew Of Stable Kernel Updates Issued For Addressing MBS / Zombieload Vulnerabilities
Insecurity firms spread fear over MDS to sell products/services
Linux Kernel Flaw Allows Remote Code-Execution
The 'insecurity publishers' use scary buzzwords now ("Meltdown")
The second Meltdown: New Intel CPU attacks leak secrets
More on WhatsApp's Flaw
On WhatsApp, it may be hackers calling
Why it might be time to ditch WhatsApp for Signal or Telegram
Linux vs. Zombieload
Linux vs. Zombieload
Canonical Releases Ubuntu Updates to Mitigate New MDS Security
Canonical Releases Ubuntu Updates to Mitigate New MDS Security Vulnerabilities
Intel and MDS
Intel CPUs impacted by new Zombieload side-channel attack
How Hackers Broke WhatsApp With Just a Phone Call
How Hackers Broke WhatsApp With Just a Phone Call
Cameron Kaiser: ZombieLoad doesn't affect Power Macs
Cameron Kaiser: ZombieLoad doesn't affect Power Macs
WhatsApp is not end-to-end because Facebook keeps copy of keys
The Ultimate Bad Take: Bloomberg's Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless
Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets
Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs
Microarchitectural Data Sampling (MDS) focus now on Intel
Intel reveals four more Spectre-like bugs in its processors
Intel CPU Exploit Zombieload Uses Hyperthreading To Steal Data
Steinar H. Gunderson: Bug fest
Steinar H. Gunderson: Bug fest
RIP Hyper-Threading?
RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub
Debian Patches New Intel MDS Security Vulnerabilities in Debian
Debian Patches New Intel MDS Security Vulnerabilities in Debian Linux Stretch
Now the BSD World
The BSDs Get Promptly Mitigated For The MDS Side-Channel Vulnerabilities
Zombieload Intel Vulnerability Explained
Zombieload Intel Vulnerability Explained: Nasty Flaw In Millions Of CPUs
More MDS Media Coverage
How to check if your Windows or Linux system is vulnerable to Microarchitectural Data Sampling (MDS) attacks
Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws
Intel Discloses Four New Microarchitectural Data Sampling (MDS) Vulnerabilities
More vulnerabilities affecting Intel chips revealed
MDS Tool: find out if you are vulnerable to Microarchitectural Data Sampling Attacks (MDS)
СloudLinux, LWN and Red Hat on MDS
Beta: СloudLinux 7 and CloudLinux 6 Hybrid kernel is available with a fix for MDS vulnerability
Beta: CloudLinux 6 kernel is available with a fix for MDS vulnerability
MDS: We’re on the case
An MDS reading list
Video: More Details about MDS again from Red Hat
Video: Red Hat explains newly announced CPU bugs