Intel

Intel Urges OEMs and End Users To Stop Deploying Spectre Patch As It May 'Introduce Higher Than Expected Reboots' (intel.com) 83

Intel executive vice president Neil Shenoy said on Monday that the chip-maker has identified the source of some of the recent problems, so it is now recommended that users skip the available patches. From the blog post: We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.
Android

Yale Privacy Lab and Exodus Privacy's F-Droid Android App Store is a Replacement for Google Play That Features Only FOSS Apps That Don't Do Any Tracking (wired.com) 51

Google Play, the marquee Android apps store, is filled with apps that are riddled with hidden trackers that siphon a smorgasbord of data from all sensors, in all directions, unknown to the Android user. Not content with the strides Google has made to curtail the issue, Yale Privacy Lab has collaborated with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. From a report on Wired: F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. F-Droid doesn't offer the millions of apps available in Google Play, so some people will not want to use it exclusively. It's true that Google does screen apps submitted to the Play store to filter out malware, but the process is still mostly automated and very quick -- too quick to detect Android malware before it's published, as we've seen. Installing F-Droid isn't a silver bullet, but it's the first step in protecting yourself from malware.
Intel

Linus Torvalds Calls Intel Patches 'Complete and Utter Garbage' (lkml.org) 409

An anonymous reader writes: On the Linux Kernel Mailing List, Linus Torvalds ended up responding to a long-time kernel developer (and former Intel engineer) who'd been describing a new microcode feature addressing Indirect Branch Restricted Speculation "where a future CPU will advertise 'I am able to be not broken' and then you have to set the IBRS bit once at boot time to *ask* it not to be broken."

Linus calls it "very much part of the whole 'this is complete garbage' issue. The whole IBRS_ALL feature to me very clearly says 'Intel is not serious about this, we'll have a ugly hack that will be so expensive that we don't want to enable it by default, because that would look bad in benchmarks'. So instead they try to push the garbage down to us. And they are doing it entirely wrong, even from a technical standpoint. I'm sure there is some lawyer there who says 'we'll have to go through motions to protect against a lawsuit'. But legal reasons do not make for good technology, or good patches that I should apply."

Later Linus says forcefully that these "complete and utter garbage" patches are being pushed by someone "for unclear reasons" -- and adds another criticism. The whole point of having cpuid and flags from the microarchitecture is that we can use those to make decisions. But since we already know that the IBRS overhead is huge on existing hardware, all those hardware capability bits are just complete and utter garbage. Nobody sane will use them, since the cost is too damn high. So you end up having to look at "which CPU stepping is this" anyway. I think we need something better than this garbage.
Electronic Frontier Foundation

EFF: Thousands of People Have Secure Messaging Clients Infected By Spyware (eff.org) 35

An anonymous reader quotes the EFF: The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients. The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut. "People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos," said EFF Director of Cybersecurity Eva Galperin. "This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."

Dark Caracal apparently gets installed through carefully-targeted spearphishing attacks, accoridng to the EFF. "Several types of phishing emails directed people -- including military personnel, activists, journalists, and lawyers -- to go to a fake app store-like page, where fake Android apps waited. There is even evidence that, in some cases, Dark Caracal used physical access to people's phones to install the fake apps."
Security

Security Breaches Don't Affect Stock Price, Study Suggests (schneier.com) 28

Computer security professional Bruce Schneier highlights the key findings of a study that suggests security breaches don't affect stock price. The study has been published in the Journal of Information Privacy and Security. From the report: -While the difference in stock price between the sampled breached companies and their peers was negative (1.13%) in the first 3 days following announcement of a breach, by the 14th day the return difference had rebounded to + 0.05%, and on average remained positive through the period assessed.

-For the differences in the breached companies' betas and the beta of their peer sets, the differences in the means of 8 months pre-breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-For the differences in the breached companies' beta correlations against the peer indices pre- and post-breach, the difference in the means of the rolling 60 day correlation 8 months pre- breach versus post-breach was not meaningful at 90, 180, and 360 day post-breach periods.

-In regression analysis, use of the number of accessed records, date, data sensitivity, and malicious versus accidental leak as variables failed to yield an R2 greater than 16.15% for response variables of 3, 14, 60, and 90 day return differential, excess beta differential, and rolling beta correlation differential, indicating that the financial impact on breached companies was highly idiosyncratic.

-Based on returns, the most impacted industries at the 3 day post-breach date were U.S. Financial Services, Transportation, and Global Telecom. At the 90 day post-breach date, the three most impacted industries were U.S. Financial Services, U.S. Healthcare, and Global Telecom.

Privacy

Trump Signs Surveillance Extension Into Law (thehill.com) 93

President Trump took to Twitter this afternoon to announce that he has signed a six-year renewal of a powerful government surveillance tool. "Just signed 702 Bill to authorize foreign intelligence collection," Trump tweeted. "This is NOT the same FISA law that was so wrongly abused during the election. I will always do the right thing for our country and put the safety of the American people first!" The Hill reports: Section 702 of the Foreign Intelligence Surveillance Act (FISA), which the Senate voted to renew with a few small tweaks this week, allows the U.S. to spy on foreigners overseas. The intelligence community says the program is a critical tool in identifying and disrupting terror plots. But the broader surveillance law, which governs U.S. spying on foreigners, has become politically entangled with the controversy over the federal investigation into Trump's campaign and Russia. Some Republicans have claimed that the FBI inappropriately obtained a politically motivated FISA warrant to spy on Trump during the transition and on Friday, Capitol Hill was consumed with speculation about a four-page memo produced by House Intelligence Committee Republicans that some GOP lawmakers hinted contained evidence of such wrongdoing.
Security

Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer (bleepingcomputer.com) 66

An anonymous reader shares a report: A survey of 1,700 bug bounty hunters registered on the HackerOne platform reveals that top white-hat hackers make on average 2.7 times more money than the average salary of a software engineer in the same country. The reported numbers are different for each country and may depend on a bug bunter's ability to find bugs, but the survey's results highlight the rising popularity of bug hunting as a sustainable profession, especially in less developed countries, where it can help talented programmers live a financially care-free life. According to HackerOne's report, it pays to be a vulnerability researcher in India, where top bug hunters can make 16 times more compared to the average salary of a software engineer. Other countries where bug hunting can assure someone a comfortable living are Argentina (x15.6), Egypt (x8.1), Hong Kong (x7.6), the Philippines (x5.4), and Latvia (x5.2).
Businesses

Buying Headphones in 2018 is Going To Be a Fragmented Mess (theverge.com) 267

Vlad Savov, writing for The Verge: At CES this year, I saw the future of headphones, and it was messy. Where we once had the solid reliability of a 3.5mm analog connector working with any jack shaped to receive it, there's now a divergence of digital alternatives -- Lightning or USB-C, depending on your choice of jack-less phone -- and a bunch of wireless codecs and standards to keep track of. Oh, and Sony's working hard on promoting a new 4.4mm Pentaconn connector as the next wired standard for dedicated audio lovers. It's all with the intent of making things better, but before we get to the better place, we're going to spend an uncomfortable few months (or longer) in a fragmented market where you'll have to do diligent research to make sure your next pair of headphones works with all the devices you already own.
Security

'Text Bomb' Is Latest Apple Bug (bbc.com) 60

An anonymous reader quotes a report from the BBC: A new "text bomb" affecting Apple's iPhone and Mac computers has been discovered. Abraham Masri, a software developer, tweeted about the flaw which typically causes an iPhone to crash and in some cases restart. Simply sending a message containing a link which pointed to Mr Masri's code on programming site GitHub would be enough to activate the bug -- even if the recipient did not click the link itself. Mr Masri said he "always reports bugs" before releasing them. Apple has not yet commented on the issue. On a Mac, the bug reportedly makes the Safari browser crash, and causes other slowdowns. Security expert Graham Cluley wrote on his blog that the bug does not present anything to be particularly worried about -- it's merely very annoying. After the link did the rounds on social media, Mr Masri removed the code from GitHub, therefore disabling the "attack" unless someone was to replicate the code elsewhere.
Microsoft

Microsoft Resumes Meltdown and Spectre Updates for AMD Devices (bleepingcomputer.com) 49

Microsoft has resumed the rollout of security updates for AMD devices. The updates patch the Meltdown and Spectre vulnerabilities. From a report: Microsoft released these patches on January 3, but the company stopped the rollout for AMD-based computers on January 9 after users reported crashes that plunged PCs into unbootable states. After working on smoothing out the problems with AMD, Microsoft announced today it would resume the rollout of five (out of nine) security updates.
Google

Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk) 254

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.
Security

Senate Passes Bill Renewing NSA's Internet Surveillance Program (reuters.com) 96

From a report: The U.S. Senate on Thursday passed a bill to renew the National Security Agency's warrantless internet surveillance program for six years and with minimal changes, overcoming objections from civil liberties advocates that it did too little to safeguard the privacy of Americans. From a report on CNET: The programs, known as Prism and Upstream, allow the NSA to collect online communications of foreigners outside the US. Prism collects these communications from internet services, and Upstream taps into the internet's infrastructure to capture information in transit. Some communications from Americans and others in the US are collected in the process. The vote Thursday renews the programs for six years. The House approved a bill renewing the programs last week. Former NSA contractor Edward Snowden first revealed the programs by leaking information about them to journalists in 2013. After the news coverage, the administration of President Barack Obama declassified much information about the programs.
Microsoft

Microsoft Tries To Write the Book On AI (axios.com) 56

When it comes to the ethics and impact of artificial intelligence, Microsoft is literally trying to write the book. From a report: The Future Computed: Artificial Intelligence and its Role in Society is being made available in digital form tonight, with a forward from longtime lawyer Brad Smith and AI/Research chief Harry Shum. Why it matters: Now is the time when a lot of key decisions are being made about how AI will work and the rules that will govern its development. But the discussion has largely been taking place within the tech sector. Axios chatted with Smith and Shum about the book, AI in general and the questions we all should be grappling with. So, why write a book? Smith: There has been a lot of discussion in the tech sector, as you know. But we think that there's an important role to play in trying to take what the tech sector is talking about and broadening the dialogue.
Intel

Intel Says Newer Chips Also Hit by Unwanted Reboots After Patch (zdnet.com) 115

Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too. From a report: Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too. The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said. Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.
Mozilla

Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com) 243

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.
Japan

Days After Hawaii's False Missile Alarm, a New One in Japan (nytimes.com) 67

An anonymous reader shares a report: Japan's public broadcaster on Tuesday accidentally sent news alerts that North Korea had launched a missile and that citizens should take shelter -- just days after the government of Hawaii had sent a similar warning to its citizens. The broadcaster, NHK, corrected itself five minutes later and apologized for the error on its evening news (Editor's note: the link may be paywalled; alternative source). The initial texts cited J-Alert, a system used by the government to issue warnings to its citizens about missiles, tsunamis and other natural disasters. But NHK later said that the system was not to blame for the false alarm. Makoto Sasaki, a spokesman for NHK, apologized, saying that "staff had mistakenly operated the equipment to deliver news alerts over the internet."
Nintendo

Hackers Seem Close To Publicly Unlocking the Nintendo Switch (arstechnica.com) 91

Ars Technica reports that "hackers have been finding partial vulnerabilities in early versions of the [Nintendo] Switch firmware throughout 2017." They have discovered a Webkit flaw that allows for basic "user level" access to some portions of the underlying system and a service-level initialization flaw that gives hackers slightly more control over the Switch OS. "But the potential for running arbitary homebrew code on the Switch really started looking promising late last month, with a talk at the 34th Chaos Communication Congress (34C3) in Leipzig Germany," reports Ars. "In that talk, hackers Plutoo, Derrek, and Naehrwert outlined an intricate method for gaining kernel-level access and nearly full control of the Switch hardware." From the report: The full 45-minute talk is worth a watch for the technically inclined, it describes using the basic exploits discussed above as a wedge to dig deep into how the Switch works at the most basic level. At one point, the hackers sniff data coming through the Switch's memory bus to figure out the timing for an important security check. At another, they solder an FPGA onto the Switch's ARM chip and bit-bang their way to decoding the secret key that unlocks all of the Switch's encrypted system binaries. The team of Switch hackers even got an unexpected assist in its hacking efforts from chipmaker Nvidia. The "custom chip" inside the Switch is apparently so similar to an off-the-shelf Nvidia Tegra X1 that a $700 Jetson TX1 development kit let the hackers get significant insight into the Switch's innards. More than that, amid the thousand of pages of Nvidia's public documentation for the X1 is a section on how to "bypass the SMMU" (the System Memory Management Unit), which gave the hackers a viable method to copy and write a modified kernel to the Switch's system RAM. As Plutoo put it in the talk, "Nvidia backdoored themselves."
Security

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com) 104

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.
Security

Researchers Uncover Android Malware With Never-Before-Seen Spying Capabilities (arstechnica.com) 102

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.
Bug

Now Meltdown Patches Are Making Industrial Control Systems Lurch (theregister.co.uk) 98

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems. From a report: SCADA vendor Wonderware admitted that Redmond's Meltdown patch made its Historian product wobble. "Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC," an advisory on Wonderware's support site explains. Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont.

Slashdot Top Deals