Language Selection

English French German Italian Portuguese Spanish

Security

Security: OpenBSD, FUD and More

Filed under
Security
  • OpenBSD Disabling SMT / Hyper Threading Due To Security Concerns

    Security oriented BSD operating system OpenBSD is making the move to disable Hyper Threading (HT) on Intel CPUs and more broadly moving to disable SMT (Simultanious Multi Threading) on other CPUs too.

    Disabling of Intel HT and to follow with disabling SMT for other architectures is being done in the name of security. "SMT (Simultanious Multi Threading) implementations typically share TLBs and L1 caches between threads. This can make cache timing attacks a lot easier and we strongly suspect that this will make several spectre-class bugs exploitable. Especially on Intel's SMT implementation which is better known as Hypter-threading. We really should not run different security domains on different processor threads of the same core."

    OpenBSD could improve their kernel's scheduler to workaround this, but given that is a large feat, at least for now they have decided to disable Hyper Threading by default.

    Those wishing to toggle the OpenBSD SMT support can use the new hw.smt sysctl setting on OpenBSD/AMD64 and is being extended to cover CPUs from other vendors and architectures.

  • Linux malware threats - bots, backdoors, trojans and malicious apps [Ed: Ignoring back doors in Windows and other proprietary platforms to instead focus on malicious software one actually needs to install on one's machine or choose a trivial-to-guess password (when there are open ports)]
  • Does Open Source Boost Security? Hortonworks Says Yes

    Organizations are best served security-wise if they favor and adopt open source technology — especially enterprise open source — over proprietary alternatives, according to Hortonworks. However, not everybody agrees that open source software intrinsically is more secure.

    It’s tough to argue that open source hasn’t brought significant benefits to the IT industry and the tens of thousands of organizations that rely on IT products to automate their operations. Starting with the introduction of Linux in the late 1990s, major swaths of the tech industry have shifted to open source development methodologies. That includes the vast majority of the big data ecosystem, which has been largely bootstrapped by various Apache Software Foundation projects.

  • Don't Neglect Open Source Security [Ed: Well, if you have chosen proprietary software, then you have already given up on security altogether. With FOSS there's at least control and hope.]
  • How to build a strong DevSecOps culture: 5 tips [Ed: Red Hat is still promoting dumb buzzwords that help employers overwork their staff]
  • A Framework to Strengthen Open Source Security and Compliance [Ed: Firms that profit from perceived insecurity of FOSS push so-called 'white papers' into IDG]

Security: Updates, Reproducible Builds and Windows 'Fun'

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #164
  • PyRoMineIoT cryptojacker uses NSA exploit to spread

    Larry Trowell, principal consultant with Synopsys Software Integrity Group, said the government shares some of the blame for the NSA exploit.

    "It's in every country's interest to develop systems enabling offensive and defensive strategies to protect individuals and national services," Trowell wrote via email. "There is no fault in that. If the NSA does have some blame to share in this situation, it is for allowing secrets to be exfiltrated -- not in developing them."

    Jett said although the NSA exploit was stolen, "they didn't create the vulnerabilities that allow for the malware to exploit devices."

    "As such, you can't hold them responsible for the malware that has emerged from the EternalRomance exploit. Vendors whose products are vulnerable to EternalRomance are responsible for resolving the exploit problem," Jett wrote. "Additionally, it has been more than a year since the NSA exploits were released, and vendors have created patches. It becomes incumbent on the users to make sure they are properly patching their software and reducing the threat surface for these exploits."

  • Can Hackers Crack the Ivory Towers?

    While both researchers agreed that their colleagues would gain from incorporating hackers' discoveries into their own work, they diverged when diagnosing the source of the gulf between the two camps and, to a degree, even on the extent of the rift.

  • 6-Year-Old Malware Injects Ads, Takes Screenshots On Windows 10

    A sneaky and persistent malware has surfaced which spams Windows 10 PCs with ads and takes screenshots to eventually send it to the attackers.

    Security researchers at Bitdefender found this malware named Zacinlo which first appeared in 2012. About 90% of Zacinlo’s victims are from the US running Microsoft Windows 10. There are other victims too from Western Europe, China, and India with a small fraction running Windows 7 or 8.

Security: Open Source Security Podcast, New Updates, MysteryBot and Grayshift

Filed under
Security

Security Leftovers

Filed under
Security
  • Hackers May Have Already Defeated Apple’s USB Restricted Mode For iPhone

    Recently, the iPhone-maker announced a security feature to prevent unauthorized cracking of iPhones. When the device isn’t unlocked for an hour, the Lightning port can be used for nothing but charging. The feature is a part of the iOS 12 update, which is expected to launch later this month.

  • Cops Are Confident iPhone Hackers Have Found a Workaround to Apple’s New Security Feature

    Apple confirmed to The New York Times Wednesday it was going to introduce a new security feature, first reported by Motherboard. USB Restricted Mode, as the new feature is called, essentially turns the iPhone’s lightning cable port into a charge-only interface if someone hasn’t unlocked the device with its passcode within the last hour, meaning phone forensic tools shouldn’t be able to unlock phones.

    Naturally, this feature has sent waves throughout the mobile phone forensics and law enforcement communities, as accessing iPhones may now be substantially harder, with investigators having to rush a seized phone to an unlocking device as quickly as possible. That includes GrayKey, a relatively new and increasingly popular iPhone cracking tool. But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.

  • How Secure Are Wi-Fi Security Cameras?
  • Trump-Kim Meeting Was a Magnet For Russian Cyberattacks

Security Leftovers

Filed under
Security
  • Vendors, Disclosure, and a bit of WebUSB Madness

    Was there any specific bug to report before we gave the talk? No, because it was widely discussed in the security scene that WebUSB is a bad idea. We believe we have demonstrated that by showing how it breaks U2F. There was no single issue to report to Google or Yubico, but a public discussion to trigger so WebUSB is fixed.

    [...]

    I do not know what “private outreach” means and why Yubico lied about being unable to replicate our findings in a call on March 2nd, even though they had it apparently working internally.

  • Librarian Sues Equifax Over 2017 Data Breach, Wins $600

    “The small claims case was a lot more about raising awareness,” said West, a librarian at the Randolph Technical Career Center who specializes in technology training and frequently conducts talks on privacy and security.

    “I just wanted to change the conversation I was having with all my neighbors who were like, ‘Ugh, computers are hard, what can you do?’ to ‘Hey, here are some things you can do’,” she said. “A lot of people don’t feel they have agency around privacy and technology in general. This case was about having your own agency when companies don’t behave how they’re supposed to with our private information.”

  • On the matter of OpenBSD breaking embargos (KRACK)
  • The UK's worst public sector IT disasters

Lazy FPU Vulnerability Now Patched for Red Hat Enterprise Linux 7, CentOS 7 PCs

Filed under
Security

Red Hat promised to release patches for the new speculative execution security vulnerability (CVE-2018-3665), which affects the "lazy restore" function for floating point state (FPU) in modern processors, leading to the leak of sensitive information, and the patches are now available for all Red Hat Enterprise Linux 7 users. The company urges everyone using any of the systems listed below to update immediately.

Affected systems include Red Hat Enterprise Linux Server 7, Red Hat Enterprise Linux Server - Extended Update Support 7.5, Red Hat Enterprise Linux Workstation 7, Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux 7 for IBM System z, POWER, ARM64 systems, Red Hat Enterprise Linux for Scientific Computing 7, Red Hat Enterprise Linux EUS Compute Node 7.5, and Red Hat Virtualization Host 4.

Read more

Security Leftovers

Filed under
Security

Security: Cortana Hole, Docker Hub Woes, and Intel FPU Speculation Vulnerability

Filed under
Security

Security: Intel, Updates and More

Filed under
Security
  • New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs
  • CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips
  • New flaw in Intel processors can be exploited in a similar way to Spectre

    A new security vulnerability has been found in Intel’s family of Core processors, along similar lines of the major Spectre bug that has been making headlines all year. Thankfully, this one appears to be less severe – and is already patched in modern versions of Windows and Linux.

    The freshly-discovered hole is known as the ‘Lazy FP state restore’ bug, and like Spectre, it is a speculative execution side channel attack. Just a few weeks back, we were told to expect further spins on speculative execution attack vectors, and it seems this is one.

    Intel explains: “Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.”

  • openSUSE Leap 15 Now Offering Images for RPis, Another Security Vulnerability for Intel, Trusted News Chrome Extension and More

    Intel yesterday announced yet another security vulnerability with its Core-based microprocessors. According to ZDNet, Lazy FP state restore "can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system." Note that Lazy State does not affect AMD processors.

  • Security updates for Thursday
  • FBI: Smart Meter [Cracks] Likely to Spread

    A series of [cracks] perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology.

  • Introducing Graphene-ng: running arbitrary payloads in SGX enclaves

    A few months ago, during my keynote at Black Hat Europe, I was discussing how we should be limiting the amount of trust when building computer systems. Recently, a new technology from Intel has been gaining popularity among both developers and researchers, a technology which promises a big step towards such trust-minimizing systems. I’m talking about Intel SGX, of course.

Security: Windows Ransomware, Cortana Holes, Google Play Protect and More

Filed under
Security
  • The worst types of ransomware attacks
  • Patched Cortana Bug Let Hackers Change Your Password From the Lock Screen
  • What is Google Play Protect and How Does it Keep Android Secure?
  • ​Another day, another Intel CPU security hole: Lazy State

    Once upon a time, when we worried about security, we worried about our software. These days, it's our hardware, our CPUs, with problems like Meltdown and Spectre, which are out to get us. The latest Intel revelation, Lazy FP state restore, can theoretically pull data from your programs, including encryption software, from your computer regardless of your operating system.

    Like its forebears, this is a speculative execution vulnerability. In an interview, Red Hat Computer Architect Jon Masters explained: "It affects Intel designs similar to variant 3-a of the previous stuff, but it's NOT Meltdown." Still, "It allows the floating point registers to be leaked from another process, but alas that means the same registers as used for crypto, etc." Lazy State does not affect AMD processors.

  • Eric S. Raymond on Keeping the Bazaar Secure and Functional
  • Purple testing and chaos engineering in security experimentation

    The way we use technology to construct products and services is constantly evolving, at a rate that is difficult to comprehend. Regrettably, the predominant approach used to secure design methodology is preventative, which means we are designing stateful security in a stateless world. The way we design, implement, and instrument security has not kept pace with modern product engineering techniques such as continuous delivery and complex distributed systems. We typically design security controls for Day Zero of a production release, failing to evolve the state of our controls from Day 1 to Day (N).

    This problem is also rooted in the lack of feedback loops between modern software-based architectures and security controls. Iterative build practices constantly push product updates, creating immutable environments and applying complex blue-green deployments and dependencies on ever-changing third-party microservices. As a result, modern products and services are changing every day, even as security drifts into the unknown.

Syndicate content

More in Tux Machines

GNOME Desktop: Flatpak and Random Wallpaper Gnome Extension

  • Flatpak in detail, part 2
    The first post in this series looked at runtimes and extensions. Here, we’ll look at how flatpak keeps the applications and runtimes on your system organized, with installations, repositories, branches, commits and deployments.
  • Flatpak – a history
    I’ve been working on Flatpak for almost 4 years now, and 1.0 is getting closer. I think it might be interesting at this point to take a retrospective look at the history of Flatpak.
  • Random Wallpaper Gnome Extension Changes Your Desktop Background With Images From Various Online Sources
    Random Wallpaper is an extension for Gnome Shell that can automatically fetch wallpapers from a multitude of online sources and set it as your desktop background. The automatic wallpaper changer comes with built-in support for downloading wallpapers from unsplash.com, desktopper.co, wallhaven.cc, as well as support for basic JSON APIs or files. The JSON support is in fact my favorite feature in Random Wallpaper. That's because thanks to it and the examples available on the Random Wallpaper GitHub Wiki, one can easily add Chromecast Images, NASA Picture of the day, Bing Picture of the day, and Google Earth View (Google Earth photos from a selection of around 1500 curated locations) as image sources.

today's howtos

KDE: QtPad, Celebrating 10 Years with KDE, GSoC 2018

  • QtPad - Modern Customizable Sticky Note App for Linux
    In this article, we'll focus on how to install and use QtPad on Ubuntu 18.04. Qtpad is a unique and highly customizable sticky note application written in Qt5 and Python3 tailored for Unix systems.
  • Celebrating 10 Years with KDE
    Of course I am using KDE software much longer. My first Linux distribution, SuSE 6.2 (the precursor to openSUSE), came with KDE 1.1.1 and was already released 19 years ago. But this post is not celebrating the years I am using KDE software. Exactly ten years ago, dear Albert committed my first contribution to KDE. A simple patch for a problem that looked obvious to fix, but waiting for someone to actually do the work. Not really understanding the consequences, it marks the start of my journey within the amazing KDE community.
  • GSoC 2018 – Coding Period (May 28th to June 18th): First Evaluation and Progress with LVM VG
    I got some problems during the last weeks of Google Summer of Code which made me deal with some challenges. One of these challenges was caused by a HD physical problem. I haven’t made a backup of some work and had to rework again in some parts of my code. As I already knew how to proceed, it was faster than the first time. I had to understand how the device loading process is made in Calamares to load a preview of the new LVM VG during its creation in Partition Page. I need to list it as a new storage device in this page and deal with the revert process. I’ve implemented some basic fixes and tried to improve it.

Open Hardware: Good for Your Brand, Good for Your Bottom Line

Chip makers are starting to catch on to the advantages of open, however. SiFive has released an entirely open RISC-V development board. Its campaign on the Crowd Supply crowd-funding website very quickly raised more than $140,000 USD. The board itself is hailed as a game-changer in the world of hardware. Developments like these will ensure that it won't be long before the hardware equivalent of LEGO's bricks will soon be as open as the designs built using them. Read more