Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, DHS, NetSpectre, Multics Interview

Filed under
Security
  • Security updates for Wednesday
  • DHS Will Shore Up Cybersecurity for America's Infrastructure

    At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.

  • New Spectre Variant Hits the Network

    A new proof of concept is a reminder that complex systems can be vulnerable at the most basic level.

    Spectre is back, and this time in a variant that adds something truly new: remote access to cached data. The good news is that access comes at a snail's pace.

    In a research paper published last week, four researchers from Graz University of Technology detailed NetSpectre, "a generic remote Spectre variant 1 attack."

  • Tom Van Vleck on the Multics operating system, security decisions

    Let me start by saying that my understanding has evolved. One of the things that I worked on was the Multics system administration facilities -- and they were quite elaborate. They had many commands and tech manuals describing how to use all those commands, and we built a special-purpose subsystem with different commands for the system administrators and another set of different commands for the system operators. Remember when systems had operators who were trained to operate the computer, instead of having everyone operate their own computers with no training at all?

    It was big mistake, in retrospect. It used to be that after the Multics operating system crashed -- in large part due to the hardware, which was much less reliable than it is now -- the operator would have to go through a very complex set of recovery steps to get the system back up and all the files happy again. Over time, we realized that every place where the operator had to make a choice and type the right thing was a chance for them to type the wrong thing. Over time, we evolved to a thing where -- when the system crashed -- you said start it up again, and if it turned out that you had to run some recovery step, the system would decide whether or not to do it, and we designed the recovery steps so they could run twice in a row with no negative effect. We aimed toward a completely lights-out, 'no chance for mistakes' interface.

Security Leftovers

Filed under
Security

UK's National Cyber Security Centre Give Advice on Securing Ubuntu 18.04 LTS

Filed under
Security
Ubuntu

Dubbed Bionic Beaver, the Ubuntu 18.04 LTS operating system was launched in April 2018 as the latest release of Canonical's popular Ubuntu Linux OS, and it's a long-term support release that will receive security and software updates for the next five years, until April 2023. The Ubuntu 18.04.1 LTS point release is also available for download and includes all the latest security updates.

Being based on the Linux kernel, Ubuntu is already a secure computer operating system compared to Windows or macOS, but if you're living in the UK (United Kingdom) and you need to configure your Ubuntu 18.04 LTS installations for maximum security, the National Cyber Security Centre tells you how.

Read more

Security: Symantec TLS Certificates, Automating Kernel Exploitation, Initial SpectreRSB Support

Filed under
Security
  • Update on the Distrust of Symantec TLS Certificates

    Firefox 60 (the current release) displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016 that chains up to a Symantec root certificate. This is part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017. This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates. As previously stated, DigiCert’s acquisition of Symantec’s Certification Authority has not changed these plans.

    In early March when we last blogged on this topic, roughly 1% of websites were broken in Firefox 60 due to the change described above. Just before the release of Firefox 60 on May 9, 2018, less than 0.15% of websites were impacted – a major improvement in just a few months’ time.

  • Automating Kernel Exploitation for Better Flaw Remediation

    Black Hat researchers plan on open sourcing a new framework they say can help organizations get a better rein on vulnerability fixes for kernel bugs.

    The explosive disclosure of the Spectre and Meltdown vulnerabilities were like a detonator on the already incendiary field of kernel vulnerabilities this year. Security researchers had previously been ramping up their exploration of kernel bugs, but this year the discoveries have mushroomed considerably.

  • Initial SpectreRSB Support Queued For Merging Into The Mainline Linux Kernel

    Last week "SpectreRSB" was detailed as a new Spectre Variant Two like attack affecting modern processors. A Linux kernel patch was quick to materialize and now it's been staged for merging soon into the mainline Linux kernel.

    Spectre Return Stack Buffer is just one of the newest speculative execution vulnerabilities affecting at least Intel CPUs. Researchers at the University of California were able to exploit SpectreRSB into leaking private data protected by Intel SGX (Software Guard Extensions) and that these return stack buffer attacks could be process-process or even inter-VM.

The Dark Side of Containers: Protecting Container Data from Itself

Filed under
GNU
Linux
Server
Security

Containers are virtualized but not by hypervisors. They can be deployed to a VM but are not VMs.

Both containers and VMs use server/host OS as the bottom two layers of the stack. In VM environments, the next level is the hypervisor followed by VMs containing guest OS, libraries (div/lib in Linux), and applications. A single VM runs two full operating systems: the host and guest OS.

In contrast, containers do not have a hypervisor layer. A container shares the host OS, housing only the libraries and application code and data. Container benefits include greater portability, less operational overhead, lower OS licensing and maintenance/support costs, and less expensive application development.

Read more

Security: Updates, Marcus Hutchins (MalwareTech) and FUD

Filed under
Security

EasySSH is your next favorite GUI SSH client

Filed under
Software
Security

For some tasks, I'm a Linux purist and refuse to budge from the command line. But other tasks could be made a bit more efficient with a GUI tool. One such task is having to log into a data center full of Linux servers. Instead of issuing the command USER@IP (where USER is a user name and IP is the server IP) over and over, wouldn't it be nice to have a simple, one-trick-pony GUI tool that would allow you to store those logins ? Fortunately, there are a few such tools available. The one I use the most is EasySSH. This particular take on the SSH GUI tool doesn't offer much in the way of bells and whistles, but it does a great job of keeping all my SSH logins saved, so a login is but a click away.

I know what you're thinking.

Security!

Yes. There is one major caveat to this tool. Anyone who has access to the tool can gain access to your servers. Why? Because usernames/passwords are required to be saved. So if you want to use this tool (which I do), do so only on a machine you trust and that can't (in any way) fall into the wrong hands. Even with that glaring security issue, EasySSH is an application you should consider for your busy Linux remote admin work. Let me show you how to install and use it. I'll be demonstrating on Elementary OS (as EasySSH was developed specifically for Elementary OS), but you can install the tool on any platform that supports Flatpak.

Read more

Also: SPAKE2 In Golang: Elliptic Curves Primer

Security: Machine Learning, Signal and NetSpectre

Filed under
Security
  • What Are Machine Learning Models Hiding?

    Federated learning, where models are crowd-sourced from hundreds or even millions of users, is an even juicier target. In a recent paper, we show that a single malicious participant in federated learning can completely replace the joint model with another one that has the same accuracy but also incorporates backdoor functionality. For example, it can intentionally misclassify images with certain features or suggest adversary-chosen words to complete certain sentences.

  • Concerns with Signal receipt notifications
  • I'm paraphrasing as I lost copy of the original chat, but it was striking how he had absolutely no clue how I figured out he had just came home in front of his laptop. He was quite worried I hacked into his system to spy on his webcam or some other "hack". As it turns out, I just made simple assertions based on data Signal provides to other peers when you send messages. Using those messages, I could establish when my friend opened his laptop and the Signal Desktop app got back online.

  • Thoughts on NetSpectre

    In this blog post, I’m going to walk through the NetSpectre vulnerability, what this means to our customers, and what Red Hat and other industry partners are doing to address it.

    Please note that based on Red Hat’s understanding, the observed measured maximum leakage rate from successfully exploiting this vulnerability is on the order of 15-60 bits (2-8 bytes) per hour on a local network, much lower over the internet and we do not yet have real-world examples of vulnerable code. Nonetheless, the risk posed by sophisticated attackers capable of deploying Advanced Persistent Threats (APTs) like NetSpectre against sensitive installations is real. But it is important to remember that an attacker will require a very significant amount of time to actually pull off a real-world attack.

  • NetSpectre Attack Could Enable Remote CPU Exploitation

    Researchers from Graz University in Austria released new research on July 26 detailing how the Spectre CPU speculative execution vulnerability could be used over a remote network.

    In a 14-page report, the researchers dubbed their attack method NetSpectre, which can enable an attacker to read arbitrary memory over a network. Spectre is the name that researchers have given to a class of vulnerabilities that enable attackers to exploit the speculative execution feature in modern CPUs. Spectre and the related Meltdown CPU vulnerabilities were first publicly disclosed on Jan. 3.

  • NetSpectre: not much of a PowerPC threat either

    In the continuing death march of Spectre side-channel variants for stealing data, all of the known attacks thus far have relied upon code running locally on the computer (so don't run sketchy programs, which have much better ways of pwning your Power Mac than slow and only occasionally successful data leaks). As you'll recall, it is possible for Spectre to succeed on the G5 and 7450 G4e, but not on the G3 and 7400.

    The next generation is making Spectre go remote, and while long hypothesized it was never demonstrated until the newest, uh, "advance" called NetSpectre (PDF). The current iteration comes in two forms.

Security: Updates, Bitwarden, Remote Spectre Exploits, Ascendance of nftables

Filed under
Security
  • Security updates for Friday
  • Update: 3 months with Bitwarden

    Three months ago, I wanted to move away from LastPass — who’ve lately have been reducing support for Firefox and other platforms — to an open source password manager instead. I chose to migrate to Bitwarden and I’ve been overall happy with the decision ever since. Here are my thoughts and impressions three months on with Bitwarden.

  • Remote Spectre exploits demonstrated

    This paper from four Graz University of Technology researchers [PDF] describes a mechanism they have developed to exploit the Spectre V1 vulnerability over the net, with no local code execution required. "We show that memory access latency, in general, can be reflected in the latency of network requests. Hence, we demonstrate that it is possible for an attacker to distinguish cache hits and misses on specific cache lines remotely, by measuring and averaging over a larger number of measurements. Based on this, we implemented the first access-driven remote cache attack, a remote variant of Evict+ Reload called Thrash+Reload. Our remote Thrash+Reload attack is a significant leap forward from previous remote cache timing attacks on cryptographic algorithms. We facilitate this technique to retrofit existing Spectre attacks to our network-based scenario. This NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system." Other attacks described in the paper are able to achieve higher rates.

  • The Ascendance of nftables

    iptables is the default Linux firewall and packet manipulation tool. If you’ve ever been responsible for a Linux machine (aside from an Android phone perhaps) then you’ve had to touch iptables. It works, but that’s about the best thing anyone can say about it.

    At Red Hat we’ve been working hard to replace iptables with its successor: nftables. Which has actually been around for years but for various reasons was unable to completely replace iptables. Until now.

Security: Vista 10, Intel, Internet Cannot be Trusted and Google Promotes Keys

Filed under
Security
  • Enterprise Windows 10 users, Microsoft has some 'quality' patches coming your way

    Running Windows 10 in the enterprise? Took the advice of Microsoft when it said the April 2018 Update was ready for the big leagues? You probably want to install last night's "quality improvements".

    In what is starting to feel a little more frequent than it should, Microsoft pushed out a raft of fixes for the 1803 incarnation of Windows 10 (aka the April 2018 Update), marking the third such update in July and taking the build number to 17134.191.

  • Some of Intel's Effort to Repair Spectre in Future CPUs

    Arjan van de Ven agreed it was extremely unlikely that anyone would claim to be skylake unless it was to take advantage of the RSB issue.

    That was it for the discussion, but it's very cool that Intel is consulting with the kernel people about these sorts of hardware decisions. It's an indication of good transparency and an attempt to avoid the fallout of making a bad technical decision that would incur further ire from the kernel developers.

  • More mitigations against speculative execution vulnerabilities

    Philip Guenther (guenther@) and Bryan Steele (brynet@) have added more mitigations against speculative execution CPU vulnerabilities on the amd64 platform.

  • The Internet Cannot be Trusted – Beamsplitters, Backdoors, and Broken Promises

    We all know that the Internet is not a fundamentally safe place. With the tremendous gains in information sharing and the conveniences that the Internet brings, come opportunities for exploitation. Fraud, harassment, surveillance, censorship, social and political manipulation, industrial and political espionage, data theft and discrimination have all taken hold in one of the greatest tools ever created by mankind.

    This article is intended to show you those failings in design, and the challenges ahead that engineers around the world have to imagine their way out of. I will focus heavily on network equipment, but this problem extends far beyond that horizon. PCs, mobile devices, industrial systems, the cloud, and databases around the world all face serious issues that beyond the scope of this writing.

  • Google takes on Yubico with its self-made Titan Security Key

    Google's key, similar to Yubico's YubiKey, will now be made available to the general unwashed, with Google announcing that it'll first be made available for Cloud customers before going on sale in the coming months.

    The Titan uses multifactor authentication to protect people against phishing attacks and will be made available in multiple forms, such as a Bluetooth fob or USB stick, acting as an extra layer of security layer when logging into Google accounts.

Syndicate content

More in Tux Machines

RISC-V and NVIDIA

  • Open-Source RISC-V-Based SoC Platform Enlists Deep Learning Accelerator
    SiFive introduces what it’s calling the first open-source RISC-V-based SoC platform for edge inference applications based on NVIDIA's Deep Learning Accelerator (NVDLA) technology. A demo shown at the Hot Chips conference consists of NVDLA running on an FPGA connected via ChipLink to SiFive's HiFive Unleashed board powered by the Freedom U540, the first Linux-capable RISC-V processor. The complete SiFive implementation is suited for intelligence at the edge, where high-performance with improved power and area profiles are crucial. SiFive's silicon design capabilities and innovative business model enables a simplified path to building custom silicon on the RISC-V architecture with NVDLA.
  • SiFive Announces First Open-Source RISC-V-Based SoC Platform With NVIDIA Deep Learning Accelerator Technology
    SiFive, the leading provider of commercial RISC-V processor IP, today announced the first open-source RISC-V-based SoC platform for edge inference applications based on NVIDIA's Deep Learning Accelerator (NVDLA) technology. The demo will be shown this week at the Hot Chips conference and consists of NVDLA running on an FPGA connected via ChipLink to SiFive's HiFive Unleashed board powered by the Freedom U540, the world's first Linux-capable RISC-V processor. The complete SiFive implementation is well suited for intelligence at the edge, where high-performance with improved power and area profiles are crucial. SiFive's silicon design capabilities and innovative business model enables a simplified path to building custom silicon on the RISC-V architecture with NVDLA.
  • SiFive Announces Open-Source RISC-V-Based SoC Platform with Nvidia Deep Learning Accelerator Technology
    SiFive, a leading provider of commercial RISC-V processor IP, today announced the first open-source RISC-V-based SoC platform for edge inference applications based on NVIDIA’s Deep Learning Accelerator (NVDLA) technology. The demo will be shown this week at the Hot Chips conference and consists of NVDLA running on an FPGA connected via ChipLink to SiFive’s HiFive Unleashed board powered by the Freedom U540, the world’s first Linux-capable RISC-V processor. The complete SiFive implementation is well suited for intelligence at the edge, where high-performance with improved power and area profiles are crucial. SiFive’s silicon design capabilities and innovative business model enables a simplified path to building custom silicon on the RISC-V architecture with NVDLA.
  • NVIDIA Unveils The GeForce RTX 20 Series, Linux Benchmarks Should Be Coming
    NVIDIA CEO Jensen Huang has just announced the GeForce RTX 2080 series from his keynote ahead of Gamescom 2018 this week in Cologne, Germany.
  • NVIDIA have officially announced the GeForce RTX 2000 series of GPUs, launching September
    The GPU race continues on once again, as NVIDIA have now officially announced the GeForce RTX 2000 series of GPUs and they're launching in September. This new series will be based on their Turing architecture and their RTX platform. These new RT Cores will "enable real-time ray tracing of objects and environments with physically accurate shadows, reflections, refractions and global illumination." which sounds rather fun.

today's leftovers

GNOME Shell, Mutter, and Ubuntu's GNOME Theme

Benchmarks on GNU/Linux

  • Linux vs. Windows Benchmark: Threadripper 2990WX vs. Core i9-7980XE Tested
    The last chess benchmark we’re going to look at is Crafty and again we’re measuring performance in nodes per second. Interestingly, the Core i9-7980XE wins out here and saw the biggest performance uplift when moving to Linux, a 5% performance increase was seen opposed to just 3% for the 2990WX and this made the Intel CPU 12% faster overall.
  • Which is faster, rsync or rdiff-backup?
    As our data grows (and some filesystems balloon to over 800GBs, with many small files) we have started seeing our night time backups continue through the morning, causing serious disk i/o problems as our users wake up and regular usage rises. For years we have implemented a conservative backup policy - each server runs the backup twice: once via rdiff-backup to the onsite server with 10 days of increments kept. A second is an rsync to our offsite backup servers for disaster recovery. Simple, I thought. I will change the rdiff-backup to the onsite server to use the ultra fast and simple rsync. Then, I'll use borgbackup to create an incremental backup from the onsite backup server to our off site backup servers. Piece of cake. And with each server only running one backup instead of two, they should complete in record time. Except, some how the rsync backup to the onsite backup server was taking almost as long as the original rdiff-backup to the onsite server and rsync backup to the offsite server combined. What? I thought nothing was faster than the awesome simplicity of rsync, especially compared to the ancient python-based rdiff-backup, which hasn't had an upstream release since 2009.