Language Selection

English French German Italian Portuguese Spanish

Security

Latest Speculative Execution 'Bug' (Chip Defect)

Filed under
Linux
Hardware
Security
  • L1 Terminal Fault - The Latest Speculative Execution Side Channel Attack

    Details are still light but a new vulnerability is coming out called the L1 Terminal Fault. It's been described as a "train-wreck" and is another big deal in the security space as the latest speculative side-channel attack vector.

    The CVEs are CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 but as of writing they have not been made public yet. I just noticed the code hitting the mainline Linux kernel to this "L1TF - L1 Terminal Fault" vulnerability.

  • Ubuntu updates for L1 Terminal Fault vulnerabilities

    Today Intel announced a new side channel vulnerability known as L1 Terminal Fault. Raoul Strackx, Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and researchers from Intel discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that’s executing on the CPU core. Processors from other vendors are not known to be affected by L1TF.

  • Microsoft Patch Tuesday 17134.228 Enhances Battery Performance and Mitigates L1TF Vulnerability

Security: Reproducible Builds, Firefox, Homebrew, Updates and MacOS

Filed under
Security

Security: OpenPGP, Oracle, DEFCON, Faxploit

Filed under
Security
  • OpenPGP key expiration is not a security measure

    There seems to be some recurring confusion among Gentoo developers regarding the topic of OpenPGP key expiration dates. Some developers seem to believe them to be some kind of security measure — and start arguing about its weaknesses. Furthermore, some people seem to think of it as rotation mechanism, and believe that they are expected to generate new keys. The truth is, expiration date is neither of those.

  • Vulnerability in Java VM Component of Oracle Database allows for Whole System Compromise
  • #DEFCON Vote Hacking Village Refute NASS 'Unfair' Claims

    DEFCON has hit back at criticisms levied at it by the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines.

    In a statement released on 9th August, the NASS said that while it applauded “the goal of DEFCON attendees to find and report vulnerabilities in election systems" it felt it was important to point out that work has been done by states' own information technology teams, and also named the Department of Homeland Security (DHS), the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the private sector, the National Guard and universities as being involved “to enhance and reinforce their cyber postures with penetration testing, risk and vulnerability assessments and many other tools.”

  • How to hack an election, according to a former NSA hacker

    As we find out more about Russia's interference in the 2016 United States presidential election, former NSA hacker and TrustedSec CEO David Kennedy reveals what it would take to hack an election. Kennedy also reveals how France was able to protect themselves. Following is a transcript of the video.

    David Kennedy: What's interesting with the election systems is that as they become more and more electronic, and people can use computer systems to actively go in and cast your votes at the actual ballots, those are all susceptible to attack.

    What the government has tried to do is a technique called air gapping, which means that they're not supposed to be hooked up to the internet or have the ability to communicate the internet, so they can be not hacked by hackers. Essential databases that are used to count the ballots and actually cast votes is connected to multiple networks and the internet. And we're seeing intrusions occur, and so as we're using electronic voting as a method to conduct actual voter ballots, it's a very, very susceptible system. Most of the systems are out of date. Most of the systems aren't protected against hacks. There's definitely possibilities for other influences to have a direct impact on our elections themselves.

  • Faxploit: Breaking the Unthinkable
  • HP Fax Protocol Flaw Exposes Whole Enterprise Network to Exploit

    Check Point has discovered a new vulnerability in HP’s range of office fax machines that allow hackers to exploit a fax number related flaw and gain access to the remainder of the company’s enterprise network. This exploit is not limited to any one product or any particular company’s setup, but it encompasses all of HP’s office fax machines and all-in-one devices that have a faxing system integrated within them.

Security: 'Smartphones', Aporeto Security, Oracle Holes, Hacknet and Updates

Filed under
Security
  • 25 Smartphone Models Found Shipping With Severe Firmware Flaws: Defcon 2018

    Smartphones from small as well as big OEMs are under the radar. OEMs such as ZTE, Leagoo, and Doogee have been included in the list of insecure Android device manufacturers previously as well. Leagoo and Doogee have been reported to come preinstalled with apps that have banking trojans.

  • Aporeto Security and Red Hat OpenShift in Action

    In this short video, we demonstrate how Aporeto integrates with Red Hat OpenShift and leverages the platform’s native capabilities to extract application identity metadata to enforce security.

    Aporeto enforces security uniformly in hybrid and multi-cloud environments and abstracts away the complexities of the underlying infrastructure. As you leverage OpenShift to expand beyond the data center, you can use Aporeto to extend your security policies no matter where your application and its services run.

  • Oracle has flagged a vulnerability that could “completely compromise” customer databases

    Oracle is calling on its customers to immediately patch a security vulnerability that can lead to “complete compromise of the Oracle Database”.

    The vulnerability was found in the Java VM component of the vendor’s database server, but attacks may “significantly impact additional products”, according to a notice on the US National Vulnerability Database.

  • Hacknet gets 'Educational' pricing plan to help teach students about cyber security

    Although primarily intended for entertainment, Hacknet’s simulation is based on real cyber-security principles, while its user interface implements actual Unix commands

  • Security updates for Monday

Critical Oracle Database Flaw and Lack of Accountability

Filed under
Security

Security: Defcon 2018, Cortana and Windows Updates That Break Windows

Filed under
Security

Tesla Software Code

Filed under
OSS
Security
  • Tesla Will Open-Source Its Vehicle Security Software In Push For Safer Vehicles

    Tesla has also directly communicated with hackers to improve its vehicles’ software. Back in 2016, Keen Security Lab, a white hat hacker group based in China, was able to remotely hack a Model S through a compromised WiFi hotspot, conducting one of the first known instances of a Tesla being hacked. Keen Security Lab contacted Tesla after they successfully compromised the electric car, and Tesla promptly pushed an update to address the vulnerability.

  • Tesla Plans to Open-Source Its Vehicle Security Software for Free to Other Automakers

    Believing he has the best solution, Elon Musk plans to make Tesla’s vehicle security software open source so other automakers can adopt the technology for "a safe self-driving future for all." On top of "specialized encryption" for "multiple sub-systems," future Tesla vehicles will ensure drivers always have "override authority" in the event their cars become "wacky."

  • Elon Musk Plans To Open Source Tesla Software Code

    One of the biggest advantages of open sourcing your software is allowing the independent security researchers to access the code and spot the vulnerabilities that might go unnoticed during the internal auditing.

  • Tesla plans to open source its car security software to other automakers for free

    According to the Electrek, with the rise of autonomous driving and car networking technology, the risk of malicious attacks on cars increased. Tesla CEO Elon Musk believes that the company’s car safety software is the best solution, and he plans to open source car safety software to other automakers for a safer autopilot future.

    Musk has publicly expressed concern about hackers attacking car systems. He said that fully blocking ” hacking” is Tesla’s primary security task.

Security Leftovers

Filed under
Security
  • #DEFCON DHS Says Collaboration Needed for Secure Infrastructure and Elections

    Speaking at DEFCON 26 in Las Vegas on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, assistant secretary, Office of Cybersecurity and Communications from the Department of Homeland Security stressed the need for public and private sector collaboration.

    She said that “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.”

    In terms of critical infrastructure, Manfra said that this is “purely voluntary in the private sector” and includes “everyone working for yourself or your company, and this includes academic institutions and the broader private and public partnership to work together to figure our critical infrastructure.”

    She went on to talk about the concept of collective defense, saying that government is “one player in the community,” and with companies and citizens on the front line with government sectors “we have to share information and be transparent and build trust with individuals and entities that we have not done before.”

  • The Enigma of AI & Cybersecurity

    We've only seen the beginning of what artificial intelligence can do for information security.

    Alan Turing is famous for several reasons, one of which is that he cracked the Nazis' seemingly unbreakable Enigma machine code during World War II. Later in life, Turing also devised what would become known as the Turing test for determining whether a computer was "intelligent" — what we would now call artificial intelligence (AI). Turing believed that if a person couldn't tell the difference between a computer and a human in a conversation, then that computer was displaying AI.

    AI and information security have been intertwined practically since the birth of the modern computer in the mid-20th century. For today's enterprises, the relationship can generally be broken down into three categories: incident detection, incident response, and situational awareness — i.e., helping a business understand its vulnerabilities before an incident occurs. IT infrastructure has grown so complex since Turing's era that it can be months before personnel notice an intrusion.

  • Open-source snafu leaves patient data exposed [Ed: They never generalise like this about proprietary software]

    Researchers at cyber security outfit Project Insecurity discovered dozens of security bugs in the OpenEMR system, which is described as the “most popular open source electronic health records and medical practice management solution”.

    Many of the flaws were classified as being of high severity, leaving patient records and other sensitive information within easy reach of would-be hackers.

    One critical flaw meant that an unauthenticated user was able to bypass the patient portal login simply by navigating to the registration page and modifying the URL, Project Insecurity reported in its findings.

  • Open Source Security Podcast: Episode 109 - OSCon and actionable advice

Source Analysis Research

Filed under
OSS
Security
  • Stylistic analysis can de-anonymize code, even compiled code

     

    A presentation today at Defcon from Drexel computer science prof Rachel Greenstadt and GWU computer sicence prof Aylin Caliskan builds on the pair's earlier work in identifying the authors of software and shows that they can, with a high degree of accuracy, identify the anonymous author of software, whether in source-code or binary form.  

  • Even Anonymous Coders Leave Fingerprints

     

    Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, have found that code, like other forms of stylistic expression, are not anonymous. At the DefCon hacking conference Friday, the pair will present a number of studies they've conducted using machine learning techniques to de-anonymize the authors of code samples. Their work could be useful in a plagiarism dispute, for instance, but it also has privacy implications, especially for the thousands of developers who contribute open source code to the world.

DEF CON 26 Reports

Filed under
OSS
Security
Syndicate content

More in Tux Machines

Red Hat News/Leftovers

Cloudgizer: An introduction to a new open source web development tool

Cloudgizer is a free open source tool for building web applications. It combines the ease of scripting languages with the performance of C, helping manage the development effort and run-time resources for cloud applications. Cloudgizer works on Red Hat/CentOS Linux with the Apache web server and MariaDB database. It is licensed under Apache License version 2. Read more

James Bottomley on Linux, Containers, and the Leading Edge

It’s no secret that Linux is basically the operating system of containers, and containers are the future of the cloud, says James Bottomley, Distinguished Engineer at IBM Research and Linux kernel developer. Bottomley, who can often be seen at open source events in his signature bow tie, is focused these days on security systems like the Trusted Platform Module and the fundamentals of container technology. Read more

TransmogrifAI From Salesforce

  • Salesforce plans to open-source the technology behind its Einstein machine-learning services
    Salesforce is open-sourcing the method it has developed for using machine-learning techniques at scale — without mixing valuable customer data — in hopes other companies struggling with data science problems can benefit from its work. The company plans to announce Thursday that TransmogrifAI, which is a key part of the Einstein machine-learning services that it believes are the future of its flagship Sales Cloud and related services, will be available for anyone to use in their software-as-a-service applications. Consisting of less than 10 lines of code written on top of the widely used Apache Spark open-source project, it is the result of years of work on training machine-learning models to predict customer behavior without dumping all of that data into a common training ground, said Shubha Nabar, senior director of data science for Salesforce Einstein.
  • Salesforce open-sources TransmogrifAI, the machine learning library that powers Einstein
    Machine learning models — artificial intelligence (AI) that identifies relationships among hundreds, thousands, or even millions of data points — are rarely easy to architect. Data scientists spend weeks and months not only preprocessing the data on which the models are to be trained, but extracting useful features (i.e., the data types) from that data, narrowing down algorithms, and ultimately building (or attempting to build) a system that performs well not just within the confines of a lab, but in the real world.