Language Selection

English French German Italian Portuguese Spanish

Security

Patches For The Better Spectre STIBP Approach Revised - Version 7 Under Review

Filed under
Linux
Security

Version 7 of the task property based options to enable Spectre V2 userspace-userspace protection patches, a.k.a. the work offering improved / less regressing approach for STIBP, is now available for testing and code review.

Tim Chen of Intel sent out the seventh revision to these patches on Tuesday night. Besides the Spectre V2 app-to-app protection modes, these patches include the work for disabling STIBP (Single Thread Indirect Branch Predictors) when enhanced IBRS (Indirect Branch Restricted Speculation) is supported/used, and allowing for STIBP to be enabled manually and just by default for non-dumpable tasks.

Read more

Travel Laptop Tips in Practice

Filed under
GNU
Linux
Security

As I've mentioned in previous articles, I recommend buying a cheap, used computer for travel. That way, if you lose it or it gets damaged, confiscated or stolen, you're not out much money. I personally bought a used Acer Parrot C710 for use as a travel computer, because it's small, cheap and runs QubesOS pretty well once you give it enough RAM.

Read more

Security: Updates, Azure AD, Bitwarden, University of Cambridge, Adobe Hole

Filed under
Security
  • Security updates for Wednesday
  • How Azure AD Could Be Vulnerable to Brute-Force and DOS Attacks

    Azure AD is the de facto gatekeeper of Microsoft cloud solutions such as Azure, Office 365, Enterprise Mobility. As an integral component of their cloud ecosystem, it is serving roughly 12.8 million organizations, 950+ million users worldwide, and 90% of Fortune 500 companies on a growing annual basis. Given such a resume, one might presume that Azure Active Directory is secure, but is it?

    Despite Microsoft itself proclaiming “Assume Breach” as the guiding principle of their security strategy, if you were to tell me a week ago that Azure or Office 365 was vulnerable to rudimentary attacks and that it could not be considered secure, then I probably would have even laughed you out of the room. But when a client of ours recently had several of their Office 365 mailboxes compromised by a simple brute-force attack, I was given no alternative but to question the integrity of Azure AD as a whole instead of attributing the breach to the services merely leveraging it and what I found wasn’t reassuring.

    After a simple “Office 365 brute force” search on google and without even having to write a line of code, I found that I was late to the party and that Office 365 is indeed susceptible to brute force and password spray attacks via remote Powershell (RPS). It was further discovered that these vulnerabilities are actively being exploited on a broad scale while remaining incredibly difficult to detect during or after the fact. Skyhigh Networks named this sort of attack “Knock Knock” and went so far as estimating that as many as 50% of all tenants are actively being attacked at any given time. Even worse, it seems as if there is no way to correct this within Azure AD without consequently rendering yourself open to denial of service (DOS) attacks.

  • Looking for an open source password manager? Give Bitwarden a spin

    Everyone needs a password manager to surf the web safely -- they enable you to set virtually crack-proof passwords for all your online accounts, plus store a range of other sensitive data too, all locked behind a single master password.

    If you’re unsatisfied with your current offering, or looking to support an open source alternative, then look at 8bit Solutions LLC’s Bitwarden 1.10.0 and Bitwarden for mobile 1.19.4.

  • This ML Algorithm Can Find Hackers Who Have Broken In Before

    Cybersecurity agencies generally focus on preventing hackers from getting inside systems instead of stopping them from leaking information out. Now a new cybersecurity company called Darktrace is acting on this idea.

    They have developed a tool, in collaboration with mathematicians from the University of Cambridge, that uses machine learning to catch internal breaches.

  • UserLAnd Now Available on F-Droid, New Darktrace Cybersecurity Company, France Is Dumping Google, KDE Bug Day Focusing on Okular November 27th and SuperTux Alpha Release

    A new cybersecurity company called Darktrace has developed a tool in collaboration with the University of Cambridge that uses machine learning to detect internal security breaches. According to FossBytes, Darktrace created an algorithm that "recognizes new instances of unusual behavior". This technique is "based on unsupervised learning, which doesn't require humans to specify what to look for. The system works like the human body's immune system."

  • Did you hear? There's a critical security hole that lets web pages hijack computers. Of course it's Adobe Flash's fault
  • Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS

Security: Reproducible Builds, NSC, Apple and Microsoft

Filed under
Security

Security: Hotel Wi-Fi, Updates, Beyond Passwords, Dependencies

Filed under
Security
  • You Know What? Go Ahead and Use the Hotel Wi-Fi

     

    This advice comes with plenty of qualifiers. If you’re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you’d rather people not know you frequented, you need to take precautionary steps that we’ll get to in a minute. Likewise, if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs. (Also, you’ve probably already been hacked some other way, sorry.)
     

    But for the rest of us? You’re probably OK. That’s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

  • Security updates for Monday
  • Beyond Passwords: 2FA, U2F and Google Advanced Protection
  • Dependencies in open source

    The topic of securing your open source dependencies just seems to keep getting bigger and bigger. I always expect it to get less attention for some reason, and every year I’m wrong about what’s happening out there. I remember when I first started talking about this topic, nobody really cared about it. It’s getting a lot more traction these days, especially as we see stories about open source dependencies being wildly out of date and some even being malicious backdoors.

    So what does it really mean to have dependencies? Ignoring the topic of open source for a minute, we should clarify what a dependency is. If you develop software today, there’s no way you build everything yourself. Even if you’re writing something in a low level language there are other libraries you rely on to do certain things for you. Just printing “hello world” calls into another library to actually print the text on the screen. Nobody builds at this level outside of a few select low level projects. Because of this we use code and applications that someone else wrote. If your business is about selling something online, writing your own web server would be a massive cost. It’s far cheaper to find a web server someone else wrote. The web server would be a dependency. If the web server is open source (which is probably is), we would call that an open source dependency.

Linux kernel Spectre V2 defense fingered for massively slowing down unlucky apps on Intel Hyper-Thread CPUs

Filed under
Linux
Security

Linux supremo Linus Torvalds has voiced support for a kernel patch that limits a previously deployed defense against Spectre Variant 2, a data-leaking vulnerability in modern processors.

Specifically, the proposed patch disables a particular Spectre V2 defense mechanism by default, rather than switching it on automatically. And here's the reason for that suggested change: code runs up to 50 per cent slower on Intel CPUs that use Hyper-Threading with the security defense enabled.

For those not in the know, Hyper-Threading is Chipzilla's implementation of simultaneous multi-threading (SMT), which splits individual CPU cores into two hardware threads. Thus, each core can mostly run two strands of software at the same time. That means a, say, 12-core processor would have 24 hardware threads, effectively presenting itself as a 24-core chip to the operating system and software.

Read more

Also: RADV Lands Another Fast Clear Optimization, Helping An Operation 18x

Security: Facebook/Instagram Breach and More FUD From Microsoft's Friends at WhiteSource

Filed under
Security

Security: Cracking, Fingerprinting and Open Source Security Podcast

Filed under
Security
  • 50 countries vow to fight cybercrime - US, Russia don’t

    Fifty nations and over 150 tech companies pledged Monday to do more to fight criminal activity on the internet, including interference in elections and hate speech. But the United States, Russia and China are not among them.

    The group of governments and companies pledged in a document entitled the “Paris call for trust and security in cyberspace” to work together to prevent malicious activities like online censorship and the theft of trade secrets.

  • Researchers Find Critical Vulnerability In Optical In-Display Fingerprint Sensors, Allowed Attackers To Unlock Devices Instantly

    In-Display Fingerprint sensors seem like an upcoming trend in smartphones. Conventional fingerprint sensors have become quite reliable over the years, but it’s still limited by design. With conventional fingerprint sensors, you need to locate the sensor and then unlock your phone. With the scanner placed under the display, unlocking the device feels much more natural. The technology is still in its infancy and hasn’t really matured yet, but a few companies like OnePlus have already put out phones with In-Display fingerprint sensors.

    Optic sensors used in most of the In-Display fingerprint scanners these days aren’t very accurate and some researchers even discovered a big vulnerability in them, which was patched recently. The vulnerability discovered by Tencent’s Xuanwu Lab gave attackers a free pass, allowing them to bypass the lock screen completely.

    Yang Yu, a researcher from the same team stated that this was a persistent problem present in every In-Display Fingerprint scanner module they tested, also adding that the vulnerability is a design fault of In-display fingerprint sensors.

  • Open Source Security Podcast: Episode 123 - Talking about Kubernetes and container security with Liz Rice

    Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what's new and exciting today, and where do we think things are going.

Goa to train teachers in new open-source software apps for cyber security

Filed under
OSS
Security

After working with Google India for wider adoption of internet safety in schools two years ago, Goa education agencies will implement another project to train computer, information and communication technology school and higher secondary teachers in new open-source software applications for cyber security integration.

The State Board of Secondary and Higher Secondary Education and Goa State Council Educational Research and Training (GSCERT) have decided to begin the second programme with over 650 computer teachers from December 4 to 18, Mr. Ajay Jadhav, Board of Study member and coordinator of the first project with Google, said on Friday. The cyber security training syllabus has been worked out and 18 resource persons are ready for the project.

Read more

Security: Japan's Top Cybersecurity Official, SuperCooKey, Information Breach on HealthCare.gov

Filed under
Security
  • Security News This Week: Japan's Top Cybersecurity Official Has Never Used a Computer
  • SuperCooKey – A SuperCookie Built Into TLS 1.2 and 1.3

    TLS 1.3 has a heavily touted feature called 0-RTT that has been paraded by CloudFlare as a huge speed benefit to users because it allows sessions to be resumed quickly from previous visits. This immediately raised an eyebrow for me because this means that full negotiation is not taking place.

    After more research, I’ve discovered that 0-RTT does skip renegotiation steps that involve generating new keys.

    This means that every time 0-RTT is used, the server knows that you’ve been to the site before, and it knows all associated IPs and sign-in credentials attached to that particular key.

  • Information Breach on HealthCare.gov

    In October 2018, a breach occurred within the Marketplace system used by agents and brokers. This breach allowed inappropriate access to the personal information of approximately 75,000 people who are listed on Marketplace applications.

Syndicate content

More in Tux Machines

GNU Compiler and Bison 3.2.2 Release

  • Intel Cascade Lake Support Posted For The GCC Compiler
    Intel developers have submitted their GCC compiler enablement patch for the Cascade Lake 14nm CPUs due out starting in early 2019. The GNU Compiler Collection patch adds support for the -march=cascadelake target for generating optimized code for these upcoming server and enthusiast class processors.
  • Bison 3.2.2 released [stable]
    Bison 3.2 brought massive improvements to the deterministic C++ skeleton, lalr1.cc. When variants are enabled and the compiler supports C++11 or better, move-only types can now be used for semantic values. C++98 support is not deprecated. Please see the NEWS below for more details. Many thanks to Frank Heckenbach for paving the way for this release with his implementation of a skeleton in C++17, and to Nelson H. F. Beebe for testing exhaustively portability issues.

Industrial dev board builds on Raspberry Pi CM3

Kontron announced an industrial-focused “Passepartout” development kit built around a Raspberry Pi Compute Module 3 Light and equipped with a dual Ethernet, HDMI, CAN, 1-Wire, RPi 40-pin connectors. Kontron announced its first Raspberry Pi based product. The Passepartout — which is French for “goes everywhere” and the name of Phileas Fogg’s valet in Jules Verne’s “Around the World in Eighty Days” — builds upon the Linux-driven Raspberry Pi Compute Module 3 Light (CM3L). The Light version lacks the 4GB of eMMC flash of the standard CM3 module but still supports eMMC or microSD storage. The CM3L is otherwise identical, with features including a quad-core, 1.2GHz Broadcom BCM2837 and 1GB of LPDDR2 RAM. Read more

Patches For The Better Spectre STIBP Approach Revised - Version 7 Under Review

Version 7 of the task property based options to enable Spectre V2 userspace-userspace protection patches, a.k.a. the work offering improved / less regressing approach for STIBP, is now available for testing and code review. Tim Chen of Intel sent out the seventh revision to these patches on Tuesday night. Besides the Spectre V2 app-to-app protection modes, these patches include the work for disabling STIBP (Single Thread Indirect Branch Predictors) when enhanced IBRS (Indirect Branch Restricted Speculation) is supported/used, and allowing for STIBP to be enabled manually and just by default for non-dumpable tasks. Read more

today's howtos