Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, CPU Defects, Patches, Entropy and More

Filed under
Security
  • Security updates for Wednesday
  • ​Linux and Intel slowly hack their way to a Spectre patch

    Spectre and Meltdown are major design flaws in modern CPUs. While they're present in almost all recent processors, because Intel chips are so widely used, Intel is taking most of the heat for these bugs. Nowhere has the criticism been hotter than on the Linux Kernel Mailing List (LKML). That's because unlike Apple and Microsoft operating system developers and OEMS like Dell and HP, Linux programmers do their work in the open. But, when Linux and Intel developers aren't arguing, they are making progress.

  • Meltdown and Spectre - Performance and stability

    There's no perceivable slowness of any kind. So that further helps our experiment, as we have a completely different set of operating systems and kernels to confirm the Windows findings.

  • Randomness in virtual machines

    I always felt that entropy available to the operating system must be affected by running said operating system in a virtual environment – after all, unpredictable phenomena used to feed the entropy pool are commonly based on hardware and in a VM most hardware either is simulated or has the hypervisor mediate access to it. While looking for something tangentially related to the subject, I have recently stumbled upon a paper commissioned by the German Federal Office for Information Security which covers this subject, with particular emphasis on entropy sources used by the standard Linux random-number generator (i.e. what feeds /dev/random and /dev/urandom), in extreme detail:

  • Linus Rants, Cryptojacking Protection, openSUSE and Games

    Linus Torvalds slams Intel's Spectre and Meltdown patches, calling them "COMPLETE and UTTER GARBAGE". See LKML for more.

Why is cryptocurrency open source? This paper from 1999 explains

Filed under
OSS
Security
Sci/Tech

Cryptocurrency's roots go back further than bitcoin. In fact, bitcoin was just the first cryptocurrency to use the blockchain rather than the first cryptocurrency ever.

Other early cryptocurrencies include now venerable names like World of Warcraft (WoW) gold, a digital currency designed for use as a store of value and a transfer medium in the gaming universe of World of Warcraft. It used a proof-of-work mining algorithm in which users would engage with the WoW ecosystem via their computer's graphical interface and complete various digital tasks to be rewarded with gold.

As the fiat currency value of WoW gold increased, it attracted more miners without any corresponding difficulty adjustment, eventually leading to substantial inflation and a collapsing economy.

Today's cryptocurrencies seem to have learned from the problems of the past. For example, bitcoin and many others will adjust mining difficulty to prevent massive inflation when mining power increases.

It's no surprise that almost everything cryptocurrency, from the coins to the exchanges to the wallets, are built on open-source software. This paper from 1999 might be more relevant than ever, especially with a few wallets and coins still being partly or entirely closed source.

Read more

Security: GCab, Open Source Security Podcast, DDoS, Microsoft Hotmail, Tinder's

Filed under
Security
  • GCab and CVE-2018-5345

    Just before Christmas I found a likely exploitable bug in the libgcab library. Various security teams have been busy with slightly more important issues, and so it’s taken a lot longer than usual to be verified and assigned a CVE. The issue I found was that libgcab attempted to read a large chunk into a small buffer, overwriting lots of interesting things past the end of the buffer. ALSR and SELinux saves us in nearly all cases, so it’s not the end of the world. Almost a textbook C buffer overflow (rust, yada, whatever) so it was easy to fix.

  • Open Source Security Podcast: Episode 79 - Skyfall: please don't yell 'fire'
  • Frequency, complexity of DDoS attacks rising: report

    The exploitation of IoT devices and innovation from DDoS attack services are leading to more frequent and complex attacks, according to a newly published infrastructure security report from application and network performance management company Netscout.

  • Hotmail user? You're an insurance risk, says Admiral

    "We found that on comparison website GoCompare, Admiral charged a Hotmail driver £467.04 and a Gmail one £435.68 — £31.36 less," the reporters said.

    Admiral admitted that it does use email domains as one variable in its risk estimation algorithm saying: "Certain domain names are associated with more accidents than others."

  • These Tinder security flaws could let malicious hackers spy on your swipes, photos and matches

    Researchers at Tel Aviv-based security firm Checkmarx found that Tinder's iOS and Android mobile apps still lack the standard HTTPS encryption.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Initial Retpoline Support Added To LLVM For Spectre v2 Mitigation

    The LLVM code has been merged to mainline for the Retpoline x86 mitigation technique for Spectre Variant 2. This will be back-ported to LLVM 6.0 and also LLVM 5.0 with an immediate point release expected to get this patched compiler out in the wild.

    The compiler-side work -- similar to GCC's Retpoline code -- is to avoid generating code where an indirect branch could have its prediction poisoned by a rogue actor. The Retpoline support uses indirect calls in a non-speculatable way.

  • Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges

    The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It's something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to "verify" the social engineer they're talking to is the person who owns accounts they're granting access to.

    Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen's multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.

  • The Guardian view on cyberwar: an urgent problem [Ed: Lists several attacks by Microsoft Windows (but names neither)]

    The first known, and perhaps the most successful of these, was the joint US/Israeli Stuxnet attack on the Iranian nuclear programme in 2009. Since then there has been increasing evidence of attacks of this sort by Russia – against Estonia in 2009, and then against Ukraine, where tens of thousands of attacks on everything from power supplies to voting machines have opened an under-reported front in an under-reported war. Across the Baltic, the Swedish government has just announced a beefed-up programme of civil defence, of which the most substantial part will be an attempt to protect its software and networks from attacks. Meanwhile, North Korean state hackers are blamed by western intelligence services for the WannaCry ransomware attacks which last year shut down several NHS hospitals in the UK. Persistent reports suggest the US has interfered in this way with North Korea’s nuclear missile programme.

  • Reproducible Builds: Weekly report #143
  • Don’t Install Meltdown And Spectre Patches, Intel Warns It Would Increase System Reebots
  • On that Spectre mitigations discussion

    By now, almost everybody has probably seen the press coverage of Linus Torvalds's remarks about one of the patches addressing Spectre variant 2. Less noted, but much more informative, is David Woodhouse's response on why those patches are the way they are.

Tails 3.5 Anonymous OS Released to Mitigate Spectre Vulnerability for AMD CPUs

Filed under
Security
Debian

Tails, the open-source Linux-based operating system designed to protect user's privacy while surfing the Internet, also known as Anonymous OS, was updated today to version 3.5.

Coming only two weeks after the Tails 3.4 release, which included patches for the Meltdown and Spectre security vulnerabilities publicly disclosed earlier this month, today's Tails 3.5 update is here to bump the Linux kernel to version 4.14.13 and include the microcode firmware for AMD CPUs to mitigate the Spectre flaw.

Read more

Security: Intel, Norton, Bug Bounty, Defacements, OnePlus, ICO

Filed under
Security

More on 'Complete and Utter Garbage' From Intel

Filed under
Linux
Security
  • Linux Creator Calls Intel Meltdown, Spectre Patches 'Complete and Utter Garbage'
  • Linux creator slams Intel for crappy Meltdown/Spectre patches

    Intel’s had a (mostly) crappy start to the year, thanks to the revelation of Meltdown and Spectre, two major security flaws affecting a wide range of its processors that are present in hundreds of thousands of devices around the world. It’s working to release fixes for them, but Linux creator Linus Torvalds is not impressed by the company’s efforts.

  • ‘WTF is going on?!’ Linux creator attacks Intel as it retracts ‘garbage’ fix for critical bug

    Patches released by Intel Corp. to fix highly malicious Spectre and Meltdown vulnerabilities affecting its CPUs turned out to be faulty, the company admitted, urging customers to stop installing them until further notice.

    Earlier this month, security researchers at Google Project Zero disclosed that data processed by the majority of modern CPUs, be they desktop computers or smartphones, could be vulnerable to critical exploits they called ‘Spectre’ and ‘Meltdown.’ Tech companies reportedly had months to prepare, and since the public announcement of the vulnerabilities, Intel released at least three patches – before discovering that their fix led some PCs to reboot unexpectedly.

  • Spectre Patches, Snap, Happy Birthday LWN and More

    Are you using protection? Longtime kernel developer, Greg Kroah-Hartman, just posted a simple recipe for users to verify whether they are running a Spectre/Meltdown patched version of the Linux kernel.

  • Intel’s Spectre fixes are ‘complete and utter garbage,’ says Linux inventor

    Linux inventor Linus Torvalds has never been one for diplomacy. He previously said “fuck you” to Nvidia for not supporting Linux, and now Intel has angered him enough to generate some more expletives. In a message to the Linux kernel mailing list on the weekend, Torvalds has expressed his dismay at Intel’s security updates to protect against the major Spectre variant 2 CPU vulnerability. The industry has been scrambling to fix the Meltdown and Spectre vulnerabilities, and the variant 2 of Spectre has been particularly challenging.

Canonical Releases Spectre Patches for Ubuntu Linux, Meltdown Fix for PowerPC

Filed under
Security
Ubuntu

Canonical published today a new set of kernel updates for all of its supported Ubuntu Linux releases that include patches for the Spectre and Meltdown security vulnerabilities.

After pulling Intel's microcode firmware update from the software repositories of Ubuntu 17.10, 16.04 LTS, and 14.04 LTS, Canonical now released the Spectre patches for all supported Ubuntu Linux releases, including all official flavors and those using HWE (Hardware Enablement) kernels, and Meltdown kernel patches for PowerPC (PPC64el) architectures.

Read more

Also: Canonical announces Ubuntu product month for February

Security: TPM, Yubikey, Holes, Bricking and Uber

Filed under
Security
  • Trusted Computing

    The Trusted Platform Module on your computer's motherboard could lead to better security for your Linux system.

    The security of any operating system (OS) layer depends on the security of every layer below it. If the CPU can't be trusted to execute code correctly, there's no way to run secure software on that CPU. If the bootloader has been tampered with, you cannot trust the kernel that the bootloader boots. Secure Boot allows the firmware to validate a bootloader before executing it, but if the firmware itself has been backdoored, you have no way to verify that Secure Boot functioned correctly.

  • Locking the screen when removing a Yubikey

    I have my Yubikey on my key ring, so whenever I leave my computer, I have to remove the Yubikey. So why not lock the screen automatically?

  • Corporate cultural issues hold back secure software development

    The study of over 1,200 IT leaders, conducted by analysts Freeform Dynamics for software company CA Technologies, finds 58 percent of respondents cite existing culture and lack of skills as hurdles to being able to embed security within processes.

  • Stop installing our buggy Spectre CPU firmware fixes, Intel says
  • Uber shrugs off flaw that lets hackers bypass two-factor authentication

    Security researcher Karan Saini found the bug in Uber's two-factor authentication process, which has yet to be rolled out widely to Uber users. The flaw relates to the way an account is authenticated when users log in, meaning hackers [sic] with someone's username and password can drift pass the 2FA with ease.

Security: Gmail, Windows, Allscripts, Android and Browsers

Filed under
Security
Syndicate content

More in Tux Machines

Today in Techrights

Security Leftovers

  • One-stop counterfeit certificate shops for all your malware-signing needs

    The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.

  • How did OurMine hackers use DNS poisoning to attack WikiLeaks? [Ed: False. They did not attack Wikileaks; they attacked the DNS servers/framework. The corporate media misreported this at the time.
    The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from expert Nick Lewis.
  • Intel didn't give government advance notice on chip flaws

    Google researchers informed Intel of flaws in its chips in June. The company explained in its own letter to lawmakers that it left up to Intel informing the government of the flaws.

    Intel said that it did not notify the government at the time because it had “no indication of any exploitation by malicious actors,” and wanted to keep knowledge of the breach limited while it and other companies worked to patch the issue.

    The company let some Chinese technology companies know about the vulnerabilities, which government officials fear may mean the information was passed along to the Chinese government, according to The Wall Street Journal.

  • Intel hid CPU bugs info from govt 'until public disclosure'

    As iTWire reported recently, Intel faces a total of 33 lawsuits over the two flaws. Additionally, the Boston law firm of Block & Leviton is preparing a class action lawsuit against Intel chief executive Brian Krzanich for allegedly selling a vast majority of his Intel stock after the company was notified of the two security flaws and before they became public.

  • Intel did not tell U.S. cyber officials about chip flaws until made public [iophk: "yeah right"]

    Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers [sic] had not exploited the vulnerabilities.

  • LA Times serving cryptocurrency mining script [iophk: "JS"]

    The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker [sic] appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

  • Facebook's Mandatory Malware Scan Is an Intrusive Mess

    When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook’s malware scanner if she wanted to get back in. Charity couldn’t use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac.

  • Tinder plugs flaw that enabled account takeover using just a phone number

    As Tinder uses Facebook profile pics for its users to lure in a mate or several, the 'dating' app is somewhat tied to the social network. When a swipe-hungry Tinder user comes to login to their account they can either do so via Facebook or use their mobile number.

  • `

Android Leftovers

Report from Debian SnowCamp and a Look at Solyd XK, a Debian-Based Distribution

  • Report from Debian SnowCamp: day 1
  • Report from Debian SnowCamp: day 2
    Of course, we’re still sorely lacking volunteers who would really care about mentors.debian.net; the codebase is a pile of hacks upon hacks upon hacks, all relying on an old version of a deprecated Python web framework. A few attempts have been made at a smooth transition to a more recent framework, without really panning out, mostly for lack of time on the part of the people running the service. I’m still convinced things should restart from scratch, but I don’t currently have the energy or time to drive it… Ugh.
  • Installing Solyd XK, a Debian based Linux distribution : Cooking With Linux
    It's time for some more "Cooking With Linux" without a net, meaning the video you are about to watch was recorded live. Today, I'm going to install a new Linux distribution (new to me, anyhow) called Solyd XK.