Every modern processor has unfixable security flaws

January 3, 2018 – 7:32 PM

Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it’s been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches.

Now we know what the flaw is. And it’s not great news, because there are in fact two related families of flaws with similar impact, and only one of them has any easy fix.

The flaws have been named Meltdown and Spectre. Meltdown was independently discovered by three groups—researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Google’s Project Zero. Spectre was discovered independently by Project Zero and independent researcher Paul Kocher.

At their heart, both attacks takes advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they’ll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.

However, while the discarded effects of this speculative execution don’t alter the outcome of a program, they do make changes to the lowest level architectural features of the processors. For example, speculative execution can load data into cache even if it turns out that the data should never have been loaded in the first place. The presence of the data in the cache can then be detected, because accessing it will be a little bit quicker than if it weren’t cached. Other data structures in the processor, such as the branch predictor, can also be probed and have their performance measured, which can similarly be used to reveal sensitive information.

Source:
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

Extended Validation Is Broken

December 13, 2017 – 5:38 AM

Extended validation (“EV”) certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name.

Generally, this process works fairly well, and there are few misissuances. There are not a lack of problems, however. Extended validation certificates include information about the legal entity behind the certificate, but not much else. What a legal entity can be turns out to be quite flexible; James Burton, for example, recently obtained an EV certificate for his company “Identity Verified”. Unfortunately, users are simply not equipped to deal with the nuances of these entities, and this creates a significant vector for phishing.

Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably thinking of the payment processor incorporated in Delaware. Here, though, you are talking to the “Stripe, Inc” incorporated in Kentucky. This problem can also appear when dealing with different countries.

How can a user tell which one you’re talking to? Browsers hide this information at first glance, at most showing the country of incorporation. Obviously, here, both the real and fake Stripe are in the same country. With enough mouse clicks, you may be able to open a system certificate viewer, or get your browser to show you the city and state. But neither of these are helpful to a typical user, and they will likely just blindly trust the bright green indicator.

Source:
https://stripe.ian.sh/

New “Quad9” DNS service blocks malicious domains for everyone

November 16, 2017 – 5:16 PM

The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don’t run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google’s), except that it won’t return name resolutions for sites that are identified via threat feeds the service aggregates daily.

“Anyone anywhere can use it,” said Phil Rettinger, GCA’s president and chief operating officer, in an interview with Ars. The service, he says, will be “privacy sensitive,” with no logging of the addresses making DNS requests—”we will keep only [rough] geolocation data,” he said, for the purposes of tracking the spread of requests associated with particular malicious domains. “We’re anonymizing the data, sacrificing on the side of privacy.”

Intelligence on malicious domains comes from 19 threat feeds—one of which is IBM’s X-Force. Adnan Baykal, GCA’s Chief Technical Advisor, told Ars that the service pulls in these threat feeds in whatever format they are published in, and it converts them into a database that is then de-duplicated. Quad9 also generates a whitelist of domains never to block; it uses a list of the top one million requested domains. During development, Quad9 used Alexa, but now that Alexa’s top million sites list is no longer being maintained, Baykal said that GCA and its partners had to turn to an alternative source for the data—the Majestic Million daily top-million sites feed.

There’s also a “gold list”—domains that should never be blocked, such as major Internet service sites like Microsoft’s Azure cloud, Google, and Amazon Web Services. “We do realize that docs.google.com is hosting phishing attacks,” Baykal said. “But because this is DNS filtering, we cannot block that URL specifically. And we don’t ever want to completely block Google.”

The blocked sites, whitelist, and gold lists are then converted into a Response Policy Zone (RPZ) format before being pushed out to the clusters of DNS servers around the world maintained by Packet Clearing House via DNS zone transfers. The DNS server clusters, which are each load-balanced with dnsdist, use a mix of Unbound and PowerDNS servers to deliver responses. “We’re running two different variants behind a load balancer,” Baykal said, “so that if there’s an issue with one we can take it down, or if there’s a critical vulnerability, we can shut one down and patch it.”

Source:
https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/

Google Just Made Gmail the Most Secure Email Provider on the Planet

October 18, 2017 – 10:57 AM

Anyone with a Gmail account can now activate what the company calls “Advanced Protection,” a set of features that make it harder to hack into your Google account. These are aimed specifically at “high-risk” users, as Google puts it. That is political campaign staffers, activists, journalists, or people in abusive relationships.

The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there’s no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone’s cell phone number by getting the provider to issue a new SIM card, for instance).

Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence.

Source:

https://motherboard.vice.com/en_us/article/kz74ym/google-gmail-advanced-protection-security-keys-yubikeygmail-advanced-protection-security-keys-yubikey

KRACK Attack Devastates Wi-Fi Security

October 16, 2017 – 10:36 AM

A devastating weakness plagues the WPA2 protocol used to secure all modern Wi-Fi networks, and it can be abused to decrypt traffic from enterprise and consumer networks with varying degrees of difficulty.

Not only can attackers peek at supposedly encrypted traffic to steal credentials and payment card data, for example, but in some setups, a third party could also inject malicious code or manipulate data on the wireless network.

Some vendors have already issued security updates and users are advised to patch immediately. U.S. CERT has published a list of affected vendors, but users should note the list is not comprehensive.

Source:
https://threatpost.com/krack-attack-devastates-wi-fi-security/128461/

Page 3 of 35312345...102030...Last »