Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Reproducible Builds, IoT Applications

Filed under
Security

Purism on Coreboot and More

Filed under
OSS
Security
  • Coreboot and Skylake, part 2: A Beautiful Game!

    While most of you are probably excited about the possibilities of the recently announced “Librem 5” phone, today I am sharing a technical progress report about our existing laptops, particularly findings about getting coreboot to be “production-ready” on the Skylake-based Librem 13 and 15, where you will see one of the primary reasons we experienced a delay in shipping last month (and how we solved the issue).

  • Purism Highlights Challenges During Coreboot Development

    Taking a brief break from their Librem 5 smartphone campaign, there's a new Purism blog post today that explains at length why this summer's Librem laptop shipments were delayed due to a pesky Coreboot bug lasting weeks and what it took to come to a workaround.

  • Linux Phone Crowdfunder Passes $100k Milestone

    Computer maker Purism‘s crowdfunding campaign for a privacy-focused phone powered by open-source software has raised over $100,000 in just 4 days.

    At the time of writing $104,300 has been pledged to the project, which aims to deliver a full-featured Linux phone powered, in part, by Matrix.org‘s communication platform.

Disabling NSA Back Door (Intel ME)

Filed under
Security
  • Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA

    Researchers from Positive Technologies — a provider of enterprise security solutions — have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs.

    Intel ME is a separate processor embedded with Intel CPUs that runs its own operating system complete with processes, threads, memory manager, hardware bus driver, file system, and many other components.

    Intel has always advertised Intel ME as a way for companies to manage computers running on their internal networks. Intel ME includes tools that allow system administrators to monitor, maintain, update, upgrade, and repair computers from a remote, central location.

  • Now you, too, can disable Intel ME 'backdoor' thanks to the NSA

    A team of researchers from Positive Technologies discovered an undocumented configuration setting, designed for use by government agencies, to disable Intel Management Engine 11. Now you too can partake in this government privilege to inactivate Intel’s proprietary CPU master controller.

  • Researchers say Intel's Management Engine feature can be switched off

    That's not an option for the general public, but researchers at Russian security firm Positive Technologies have found a way to use these government-only privileges to disable ME.

    ME is a core component of modern Intel chips that if compromised can provide an attacker with a powerful backdoor. As the researchers note, ME can't be completely disabled because of its role in initializing hardware, power management, and launching the main processor.

Security: PKI, ME, and Titan

Filed under
Security
  • PKI is needed for micro-services

    Someone would say: but we can trust the source IP!
    The short answer to this is: no.

    The long answer is: no! no! no! no! no! no! no! no! no!

    An IP address is not secure by design, the network can be manipulated quite easily with an L2 access (like one server compromised).

    Also, the IP layer is not encrypted by default, so if you have to use some kind of encryption on top in your application, what’s the point of encrypting everything with a pre shared key when you can use an asymmetric layout?

  • Disabling Intel ME 11 via undocumented mode

    Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.

    Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.

    [...]

    Some users of x86 computers have asked the question: how can one disable Intel ME? The issue has been raised by many, including Positive Technologies experts. [, ]. And with the recently discovered critical (9.8/10) vulnerability in Intel Active Management Technology (AMT), which is based on Intel ME, the question has taken on new urgency.

    The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards. The main method used by enthusiasts trying to disable ME is to remove everything "redundant" from the image while maintaining the computer's operability. But this is not so easy, because if built-in PCH code does not find ME modules in the flash memory or detects that they are damaged, the system will not start.

    Intel representatives have been informed about the details of our research. Their response has confirmed our hypothesis about the connection of the undocumented mode with the High Assurance Platform program.

    [...]

    We believe that this mechanism is designed to meet a typical requirement of government agencies, which want to reduce the possibility of side-channel leaks. But the main question remains: how does HAP affect Boot Guard? Due to the closed nature of this technology, it is not possible to answer this question yet, but we hope to do so soon.

  • Google opens up on Titan security: Here's how chip combats hardware backdoors

    Google has detailed how its custom Titan security chip will prevent threats that use firmware-based attacks.

    When it unveiled its tiny Titan chip, Google said it planned to use the processor to give each server in its cloud its own identity.

Security: Updates, FOSS Encryption, and Helicopter Security

Filed under
Security
  • Security updates for Monday
  • Identiv Raises the Standard of Physical Security With Its First Open Source Software Release

    The use of proprietary encryption schemes and measures — or "security through obscurity" — has proven to be inadequate against modern attack methods. By publishing and sharing its Open Access Card Format, Identiv raises the standard of physical access security by encouraging others to use, review, or extend its implementation. This tool will allow users to program and encode their own physical access cards with secure DESFire EV1/EV2 encryption keys and credential identification data. Customers get the benefit of Common Criteria-certified security without being locked into a single card source. Initially, Identiv will be releasing the OACF specification publicly while the source code will be available on request. The code will include a simple tool for reading and writing uTrust TS-compatible cards. All code will be shared via GitHub.

  • Helicopter security

    Now as we know from children, if you prevent someone from doing anything they don't become your obedient servant, they go out of their way to make sure the authority has no idea what's going on. This is basically how shadow IT became a thing. It was far easier to go around the rules than work with the existing machine. Helicopter security is worse than nothing. At least with nothing you can figure out what's going on by asking questions and getting honest answers. In a helicopter security environment information is actively hidden because truth will only get you in trouble.

GnuPG 2.2.0

Filed under
GNU
Security
  • GnuPG 2.2 Released

    Werner Koch has announced the release of GNU Privacy Guard's GnuPG 2.2 stable series.

  • What’s new in GnuPG 2.1

    GnuPG version 2.1 (now known as 2.2) comes with a bag of new features which changes some things old-timers are used to. This page explains the more important ones. It expects that the reader is familiar with GnuPG version 2.0 and aware that GnuPG consists of gpg, gpgsm, and gpg-agent as its main components.

  • GnuPG 2.2.0 released

    Version 2.2.0 of the GNU Privacy Guard is out; this is the beginning of a new long-term stable series. Changes in this release are mostly minor, but it does now install as gpg rather than gpg2, and it will automatically fetch keys from keyservers by default.

Security: Encryption, NSA, and SMTP

Filed under
Security
  • benchmarking security tokens speed
  • How Quantum Computing Will Change Browser Encryption

    From a protocol point of view, we're closer to a large-scale quantum computer than many people think. Here's why that's an important milestone.

  • If you're surprised the NSA can hack your computer, you need a reality check

    Colour me shocked. It appears the NSA has been collecting a treasure trove of hacks for Windows, both desktop and servers, covering all versions of the OS bar Windows 10. And this toolbox of capabilities, which also included ways to get into banking and other related systems, has leaked to the public.

    I suspect your jaw isn’t gaping in surprise. What’s followed has been just as predictable.

    First, there’s shock that the NSA might have built such a collection of exploits. Sorry, what do you expect the NSA to be doing? Creating toolkits that can be used against undesirables is what it exists for. Injecting custom spyware onto the laptop of a terrorist could bring up incredibly useful intelligence information, after all.

  • Twenty-plus years on, SMTP callbacks are still pointless and need to die

    A rarely used legacy misfeature of the main Internet email protocol creeps back from irrelevance as a minor annoyance. You should ask your mail and antispam provider about their approach to 'SMTP callbacks'. Be wary of any assertion that is not backed by evidence.

Security: MalwareTech, Passwords Leak, Security Updates and Reproducible Builds

Filed under
Security
  • MalwareTech’s legal defense fund bombarded with fraudulent donations

    Marcus Hutchins, the popular British security researcher, has a new legal headache beyond the criminal charges against him.

    Hutchins, AKA "MalwareTech," pleaded not guilty two weeks ago to criminal charges in Wisconsin that accuse him of creating and distributing the Kronos malware that steals banking credentials. Now comes word that his legal defense fund was riddled with illicit donations.

  • Leak of >1,700 valid passwords could make the IoT mess much worse

    Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

    The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

  • Security updates for Friday
  • Reproducible Builds: Weekly

Blaming GNU/Linux for Facebook Issues

Filed under
GNU
Linux
Security

Security: Updates, Phones, Kaspersky, Monero Pool, Microsoft-Connected SourceClear, Ransomware, and Android

Filed under
Security
Syndicate content

More in Tux Machines

Security: Updates, Tinder, FUD and KPTI Meltdown Mitigation

  • Security updates for Friday
  • Tinder vulnerability let hackers [sic] take over accounts with just a phone number

    The attack worked by exploiting two separate vulnerabilities: one in Tinder and another in Facebook’s Account Kit system, which Tinder uses to manage logins. The Account Kit vulnerability exposed users’ access tokens (also called an “aks” token), making them accessible through a simple API request with an associated phone number.

  • PSA: Improperly Secured Linux Servers Targeted with Chaos Backdoor [Ed: Drama queen once again (second time in a week almost) compares compromised GNU/Linux boxes to "back doors"]
    Hackers are using SSH brute-force attacks to take over Linux systems secured with weak passwords and are deploying a backdoor named Chaos. Attacks with this malware have been spotted since June, last year. They have been recently documented and broken down in a GoSecure report.
  • Another Potential Performance Optimization For KPTI Meltdown Mitigation
    Now that the dust is beginning to settle around the Meltdown and Spectre mitigation techniques on the major operating systems, in the weeks and months ahead we are likely to see more performance optimizations come to help offset the performance penalties incurred by mitigations like kernel page table isolation (KPTI) and Retpolines. This week a new patch series was published that may help with KPTI performance.

Purism News

  • February 2018 coreboot update now available
    Hey everyone, I’m happy to announce the release of an update to our coreboot images for Librem 13 v2 and Librem 15 v3 machines. All new laptops will come pre-loaded with this new update, and everyone else can update their machines using our existing build script which was updated to build the newest image. Some important remarks:
  • Purism Releases Updated Coreboot Images For Their Laptops
    Purism has released updated Coreboot images for their Librem 13 v2 and Librem 15 v3 laptops. The updated Coreboot images are now re-based to Coreboot 4.7, Intel FSP 2.0, IOMMU (VT-d) support is now available, TPM support is also enabled, and there are fixed ATA errors for 6Gbps speeds.
  • New Inventory with TPM by Default, Free International Shipping
    In November, we announced the availability of our Trusted Platform Module as a $99 add-on for early adopters, something that would allow us to cover the additional parts & labor costs, as well as test the waters to see how much demand there might be for this feature. We thought there would be “some” interest in that as an option, but we were not sure how much, especially since it was clearly presented as an “early preview” and offered at extra cost.

Mycroft AI on Plasma

Mycroft is running through the last 24 hours of the crowdfunding campaign for its Mark II assistant. The machine looks awesome and offers similar functionality to other proprietary alternatives, but with none of the spying and leaking of personal data. The Mark 2 will be delivered to backers at the end of this year, but you can enjoy the pleasures of giving orders to an AI right now by installing the Mycroft widget on Plasma courtesy of KDE hacker Aditya Mehra. Read more

Android Leftovers