STE WILLIAMS

Intel’s boss has finally admitted software fixes to address the Meltdown and Spectre vulnerabilities in most modern CPUs will incur a performance hit.

At the Consumer Electronics Show in Las Vegas on Monday, Brian Krzanich stuck to the line the design weaknesses represented an “industry-wide issue across several different processor architectures”.

He said Chipzilla has no evidence that the processor flaws – successfully demonstrated by security researchers – had been exploited by malicious hackers and advised businesses and consumers alike to apply security patches.

“As of now, we have not received any information that these exploits have been used to obtain customer data,” Krzanich said. “And we are working tirelessly on these issues to ensure it stays that way. The best thing you can do to make sure your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available.”

Meltdown, Spectre bug patch slowdown gets real – and what you can do about it

READ MORE

Krzanich went on to promise fixes for the majority of Intel CPUs within a week, with the rest to follow by the end of January.

“We believe the performance impact of these updates is highly workload-dependent,” he said. “As a result, we expect some workloads may have a larger impact than others, so we will continue working with the industry to minimise the impact on those workloads over time.”

Intel’s admission follows public statements by other IT heavyweights that applying the Spectre and Meltdown patches incurs a price. Red Hat has spoken of a performance hit of between one to 20 per cent, while Google has spoken about “minimal performance impact”.

Impacts are workload-dependent with Amazon customers, among others, already seeing the effects of patching, as previously reported.

The reduced horsepower effects are mainly the consequence of Meltdown patches, which on Linux apply separation between the kernel and user virtual memory address spaces through a technology called Kernel Page Table Isolation, or KPTI.

Meltdown and Spectre have shaken the IT industry to its core since they were exposed by The Register last week.

Meltdown creates a means for user applications to read kernel memory and is limited to Intel processors (and the Arm Cortex-A75). Radical patches for Linux, Windows and macOS have been designed and delivered to address the vulnerability.

The other flaw, Spectre, is more difficult to exploit, and potentially more serious and trickier to fix properly. Spectre has been demonstrated on Intel Ivy Bridge, Haswell and Skylake processors, AMD Ryzen CPUs, and several ARM-based Samsung and Qualcomm system-on-chips that end up in smartphones.

A combination of microcode updates and kernel countermeasures known as Indirect Branch Restricted Speculation (IBRS) have been developed to thwart attacks that steal data from kernels and hypervisors. But Intel has not yet released updated microcode for Linux users – official downloads date back to November 2017.

More stuff broken amid Microsoft’s efforts to fix Meltdown/Spectre vulns

READ MORE

Reader Tim S told The Register: “This has left Linux users and developers in the dark and has forced e.g. Debian developers to package unofficial versions dating from December but this doesn’t patch many processors. Even for relatively recent processors such as Skylake desktop processors, the available packages (both official and ‘unofficial’) include Skylake microcodes dated April 2017 – before Intel was notified of the bugs – and so almost certainly don’t patch the problem.”

Another variant of Spectre, through which hackers might be able to spy on applications, remains unpatched. Several software-based mitigation approaches for Spectre have been suggested and may well have some utility, even though it looks like they will fall short of completely nailing the problem.

Daniel Genkin, one of the authors of the Spectre research paper, previously told El Reg that only a hardware redesign would eliminate the root cause of Spectre. CERT initially agreed with this assessment, stating on January 3 that the “underlying [Spectre] vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware”, before modifying its advice to applying vendor fixes later in the week. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/intel_boss_ces_keynote_spectre/

Backup and security biz Barracuda made the largest profit it has seen in more than three and a half years in its third fiscal 2018 quarter, its last as a public company.

Revenues were $94.7m, up 7 per cent year-on-year and $400,000 on a quarterly basis. Net income was $7.8m, compared to the previous quarter’s $1.6m.

Subscription revenue grew to $77.3m, up 13 per cent from $68.3m a year ago, representing 82 per cent of total revenue, and shrinking appliance revenue was $17.5m, compared with $20.5m a year ago.

Last-minute profit hike to impress private equity buyers?

The number of active subscribers grew 16 per cent to over 360,000 as of November 30, 2017. The annualised renewal rate from subscriptions on a dollar basis was 101 per cent.

Barracuda is being bought by private equity firm Thoma Bravo for $1.6bn. The deal is scheduled to close before the end of February.

PhishLine, a SaaS platform with data analytics and reporting to protect against hackers, was bought by Barracuda on January 3.

CEO BJ Jenkins said: “Combining the power of the Barracuda security technologies with PhishLine’s capabilities gives us the opportunity to deliver integrated, adaptive security training aimed at preventing email security threats.”

This is curious as companies heading for private equity ownership often wait for the new owners to set about reshaping and galvanising the company. Yet this acquisition follows that of cloud archiver Sonian, which was announced in the same month, November last year, that Barracuda revealed it was going private.

Thoma Bravo must have been aware of both deals and approved them. It’s a good augury for a fast development pace at Barracuda inside Thoma Bravo, which is getting an actively expanding company and not a distressed wreck.

PhishLine’s 15 employees will join Barracuda. The deal cost was not disclosed, but we think it’s less than $10m. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/barracuda_goes_phishing/

VCs splashed a record $4B in funding in the cybersecurity pool – here are some highlights among the early- to middle-stage startups who snagged big deals last year.

Image Source: Adobe Stock

2017 was a record-smashing year for venture capital funding of cybersecurity startups. According to figures from CBInsights, the year ended with 248 deals totaling $4.06B. A lot of that high funding valuation came on the backs of mega late stage funding for the likes of well-known firms like Crowdstrike, Cybereason, and Exabeam. But there was plenty of cash splashed around for relative newcomers and upstarts, which is where we’ll focus on this year’s list.

The following 20 firms are primarily early- to middle-stage startups, with a few more mature start-ups that have courted growth equity to change course or expand into a particularly hot new market segment. Our selection criteria this time around was for companies that managed to land a deal for $15 million or more in Series C or earlier funding in 2017.

In the interest of highlighting new firms, we’ve included only companies that were not already featured in our startup lists in the last two years. Many of these firms have been founded in the past three years and a number of them are notable for acting as first-movers in a particularly hot security niche. Additionally, a number of the firms here are notable for their leadership by security veterans and visionaries. Like the last several years, we’ve noted these factors.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/endpoint/20-cybersecurity-vendors-getting-venture-capital-love/d/d-id/1330754?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’re fighting the good fight — but, ultimately, losing the war.

I have spent a great deal of time on the front lines of the biggest conflict of our age: the cyber war. In almost 20 years as a security professional, I’ve reached the conclusion that while we are all fighting the good fight and winning some battles, we are ultimately losing the war.

Like a runner on a treadmill, we are working our hearts out and not getting anywhere. When I tell a CISO “I feel your pain,” it’s because I have the scars to prove it. It’s a thankless, lonely, stressful job, and the kicker is how much we all want to do it well.

Before we can stop fighting battles and start winning this cyber war, we need to understand how it got started. Every company today has some level of technical underpinning, and what makes it all work is software. One of the most powerful attack vectors for IT, therefore, has been software vulnerabilities. These vulnerabilities, which can range from simple to fundamental, are intrinsic to every software product in every industry.

We’ve come to accept software vulnerabilities as part of the package, but the question is why? Why are vulnerabilities part of doing business?

The simple answer is unavoidable: market pressure. Markets are constantly evolving and demanding new ways to work smarter, faster, and more cost effectively. The prize, in terms of market share, often goes to the company that gets there first. As a result, products are sometimes forced out the door before they have gone through thorough testing and quality assurance. In the balance between getting the job done first and getting the job done well, being first usually wins and often wins big.

I believe this is why most software products feature extensive indemnification clauses. If the companies are held blameless for bugs and vulnerabilities, the benefit to shipping early can outweigh the risk — at least for the software company. Of course, we as CISOs often end up on the losing end of that proposition.

Another issue is security industry vendors. In an environment fraught with threats, there is money to be made by selling a solution to the problem — whether the product actually performs as promised or not. Promises are easily cloaked in the latest assortment of buzzwords, while the real-world capabilities may not really appear (or not appear at all) until someone is banging on your door.

Although it might be easy enough to blame the situation on simple greed, I believe that many of these issues stem from the fact that the security vendors are not themselves CISOs, nor do they always have a CISO on staff. They do not know the issues CISOs face; they only know what their product does in a sometimes-constrained scenario. And if you only have a hammer, every problem looks like a nail.

Regulations can further complicate the problem. I believe strongly in the aim of today’s cybersecurity regulations, but like the security products themselves, they can often lag behind the real world that CISOs live in. Complying with these regulations can create busywork that diverts our attention and resources from implementing meaningful controls to working on stuff that provides little, if any, benefit. (Antivirus software on my mainframe? Really?) Meanwhile, the internal audit process and staff required to maintain compliance often serve to further distract us and prevent us from focusing resources where we really need them.

In the end, however, it is important to step back and look at what is really driving this situation. It’s the business. Software products are rushed to market, sometimes before they are well tested, because business demands it. Security products are purchased then found not to perform as promised, because a tactical fix was essential to business uptime. Cyber regulations are instituted to protect the business, but they are often so out of step with reality that they end up draining focus and resources.

The culmination of these issues is an enormous workload that far exceeds the available security resources that exist today. Ask CISOs about their top challenges, and they will tell you that finding and retaining qualified staff is among the greatest. Consequently, we will never be able to tackle these issues with a tactical approach. We must become more strategic.

Related Content:

• 10 Steps for Stretching Your IT Security Budget
• The Cybersecurity ‘Upside Down’
• The Argument for Risk-Based Security

Jack Miller is the Chief Information Security Officer of SlashNext, maker of the Internet Access Protection System, a cloud-powered solution that leverages cognitive computing to detect complex and interlinked Internet access attacks, including social engineering and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cisos-cyber-war-how-did-we-get-here/a/d-id/1330737?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Windows servers will see biggest degradation, as will Windows 7 and 8 client machines, Microsoft said.

It’s official: Microsoft Windows patches for recently revealed critical microprocessor flaws will cause noticeable performance slowdowns on Windows machines, the company said today.

Performance degradation has been a key concern after Microsoft and Linux operating system kernels were retooled to mitigate attacks on Intel, AMD, and ARM processors via the so-called Meltdown and Spectre hardware vulnerabilities. Security experts had estimated up to 30% degradation for Linux and Windows, so performance is a big part of the equation when it comes to risk assessment and in some cases, whether to patch at all.

Microsoft in a blog post today confirmed that Windows servers will experience noticeable performance slowdowns, as will Windows 7 and 8 client machines running older processors (2015-timeframe PCs with Haswell or older CPUs). While newer Windows 10 platforms won’t experience perceptible performance drops, those on older hardware will.

What’s What

To be fully secured from the flaws, machines must apply the operating system, browser, and microcode patches, says Frank Shaw, communications lead at Microsoft, in a Dark Reading interview.

Specifically, Windows 10 client machines running modern microprocessors (2016-era PCs with Skylake, Kabylake, or newer CPUs) will suffer some performance hits, but it won’t be “user-perceptible,” according to Microsoft. “It will be a couple of percentage points, depending on various workloads. It’s not something people will truly notice,” says Shaw.

Windows 10 machines on Haswell-class or older microprocessors however will experience noticeable performance changes in some cases, however, Shaw says.

And older Windows 7 and Windows 8 machines will experience performance degradation with the patches. “For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation,” Microsoft said. “Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.”

Microsoft said it’s working on fine-tuning the Windows performance of its patches. This is especially crucial for Windows servers.

“Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment,” according to Microsoft.

Windows Fixes

In its Windows update for the one variant of the Spectre Bounds Check Bypass attack (CVE-2017-5753), Microsoft made a compiler change and hardened its Edge and IE 11 browsers to prevent JavaScript-borne exploits, a fix that doesn’t require processor a microcode update on the machine.

For the Spectre Branch Target Injection (CVE-2017-5715), Microsoft’s patch alerts Windows to call new CPU instructions in the case of risky scenarios with the side-channel communications process. That patch requires the microprocessor update on the machine.

For Meltdown’s so-called Rogue Data Cache attack (CVE-2017-5754), Microsoft said it isolated kernel and user-mode page tables to thwart such an attack; no microcode updates are needed on the machine for that fix.

“Because Windows clients interact with untrusted code in many ways, including browsing webpages with advertisements and downloading apps, our recommendation is to protect all systems with Windows Updates and silicon microcode updates,” Microsoft said in its post.

Meanwhile, Microsoft recommends that server administrators employ mitigations at the physical layer of the server to isolate virtualized workloads on the server. Azure was already updated accordingly to protect virtual machine environments, according to the company. “For on-premises servers, this can be done by applying the appropriate microcode update to the physical server, and if you are running using Hyper-V updating it using our recent Windows Update release.”

There are additional mitigation options for Windows Server as well within VMs to vet untrusted code, for example.

When is okay not to patch? If a system is not running “untrusted” applications, Microsoft’s Shaw says. “IT pros in some cases will not deploy microcode [patches if they] have an environment where they don’t need to worry about it: if they are not running untrusted applications,” he says.

“This is a hardware problem that affects chips, operating systems,” he says. “We wanted to let customers know what to expect” with performance, he says. “You won’t notice if it’s a spinning disk, but if it’s a solid-state disk, you will notice” performance hits, Shaw says.

The good news: there are no exploits in the wild right now, he says. Consumers and businesses should install Windows and Apple OS updates, and “then when microcode is available from OEMs,” it should also be installed, he says.

“On the client side, we would certainly hope customers will deploy the full solution” for patches, he says. “On the server side, IT pros can look at their specific use cases and make a decision.”

Microsoft has patched 41 of its 45 editions of Windows, and expects to have the remaining four issued “soon,” the company said in its post.

The company has further information on microcode updates from OEMs here, and information on specific system patches here:

• Windows Client
• Windows Server
• Microsoft Azure

 

Related Content:

• Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
• Critical Microprocessor Flaws Affect Nearly Every Machine
• Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws
• Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-confirms-windows-performance-hits-with-meltdown-spectre-patches/d/d-id/1330778?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You know that Facebook data-use policy, the one that promises it’s not going to spread our personal information to outfits that want to slice and dice and analyze us into chop suey and market us into tomato paste?

We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement or analytics partners unless you give us permission.

Yea, well… funny thing about that…

Turns out that up until a few weeks ago, against its own policy, Facebook’s self-service ad-targeting tools could have squeezed users’ cellphone numbers from their email addresses… albeit very, verrrrry sloooowly. The same bug could have also been used to collect phone numbers for Facebook users who visited a particular webpage.

Finding the bug earned a group of researchers from the US, France and Germany a bug bounty of $5000. They reported the problem at the end of May, and Facebook sewed up the hole on 22 December.

That means that phone numbers could have been accessed for at least seven months, although Facebook says that there’s no evidence that it happened.

The researchers described in a paper how they used one of Facebook’s self-serve ad-targeting tools called Custom Audiences to ascertain people’s phone numbers.

That tool lets advertisers upload lists of customer data, such as email addresses and phone numbers. It takes about 30 minutes for the tool to compare an advertiser’s uploaded customer list to Facebook’s user data, and then presto: the advertisers can target-market Facebook users whose personal data they already have.

Custom Audiences also throws in other useful information: it tells advertisers how many of its users will see an ad targeted to a given list, and in the case of multiple targeted-ad lists, it tells advertisers how much the lists overlap.

And that’s where the bug lies. Until Facebook fixed it last month, the data on audience size and overlap could be exploited to reveal data about Facebook users that was never meant to be offered up. The hole has to do with how Facebook rounded up the figures to obscure exactly how many users were in various audiences.

As far as resources go, the initial exploitation is the most “expensive” aspect of the exploit, the researchers said. In one evaluation of the attack, they recruited 22 volunteers with Facebook accounts who lived either in Boston or in France.

It took 30 minutes to upload two area code lists for Boston (617 and 857) where the phones had 7 digits to infer. Each list had one million phone numbers, all with a single digit in common. France was even tougher to chew through: it took a week to generate 200 million possible phone numbers starting with 6 or 7 and to upload each list.

But after that, it was fairly smooth sailing.

The resulting audiences can be re-used to infer the phone number of any user.

The researchers went on to use Facebook’s tools to repeatedly compare those audience lists against others generated using the targets’ emails. They kept an eye out for changes to the estimated audience figures that occurred when an email address matched a phone number, revealing users’ numbers drip by drip, one digit at a time.

The attack apparently worked with all Facebook users who had a phone number associated with their account. The exploit stumbled when people provided multiple, or no, phone numbers for their Facebook accounts. It took under 20 minutes per user to get phone numbers.

The researchers used the same technique to collect phone numbers en masse for volunteers who visited a website with the “tracking pixel” Facebook provides to help site operators target ads to visitors. As they explain, Facebook gives advertisers some code – referred to as a tracking pixel, since it was historically implemented as a one-pixel image – to include on their websites. When users visit the advertiser’s website, the code makes requests to Facebook, thereby adding the user to an audience.

The audiences aren’t defined by “attributes,” such as visitors’ gender or their location. Rather, these are “PII-based audiences.” Advertisers select specific users they want to target, by either uploading known email addresses, names, or other personally identifying information (PII), or by selecting users who visited an external website that’s under the advertiser’s control.

The tracking-pixel version of the exploit succeeded in getting the researchers the phone numbers they were after. It appeared to work for all accounts Facebook defines as daily active users.

Facebook fixed the bug by weakening its ad-targeting tools. They’re not showing audience sizes any longer when customer data is used to make new ad-targeting lists.

Facebook Vice President for Ads Rob Goldman put out a thank-you statement for the researchers’ find:

We’re grateful to the researcher who brought this to our attention through our bug bounty program. While we haven’t seen any abuse of this complex technique, we’ve made product changes to prevent this from occurring.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NKI1Ti2imTA/

Stop me if you’ve heard this one:

Boy meets girl. Girl tracks boy with spyware. Girl (allegedly) hires hitman to kill boy. Girl arrested by hitman, who actually works for the FBI.

Wait a minute. What’s that you say? It’s not an elevator pitch for a thriller? It actually happened?!

It sure did. Unfortunately, it’s not humorous, either, given that a man allegedly could have been murdered.

The story involves a Los Angeles woman who goes by the handle “Mz. Fiesty” on social media.

According to the US Attorney’s Office for the Central District of California, Rasheeda Johnson Turner, 37, was arrested last month on federal charges that she hired a hitman-slash-FBI informant to kill her boyfriend so she could get her hands on his life insurance payout.

The boyfriend/would-be victim is identified in court documents as L.G.

Turner allegedly told the informant she was the beneficiary of a $150,000 life insurance policy and that she would pay the killer $50,000. Over the course of two weeks, she allegedly told the purported hitman that she originally planned to do the deed herself and had sourced “pure acid” from a plumber to get it done.

According to the criminal complaint, Turner initially tried to hire a hitman in November, but he wasn’t interested in the job. The FBI got wind of the alleged plot and managed to get an informant introduced to Turner. Turner, also known as Feisty or Mz. Feisty, is, according to her social media posts, an amateur film star with a rap sheet: she was convicted in 2005 for forgery and theft and arrested in 2016 for spousal battery, having allegedly assaulted L.G.

The informant/”hitman” agreed to meet with Turner on 4 December. Before the meeting, he got rigged with a wire tap to record audio and video. According to the complaint, Turner was recorded as saying that being a mom got in the way of being a murderer herself:

I was gonna off blood, myself, but it’s hard because I got a kid.

Turner actually rented a room to kill L.G., the complaint alleges, but she called it off since she was afraid her daughter would interrupt.

So she allegedly decided instead to hire a professional and pay him out of the life-insurance money:

Once he is dead, I get the death certificate, then they pay me, what? Within thirty days, the life insurance or whatever, and I said I cash the money out or whatever.

OK, how do you want it done?, the hitman wanted to know.

Doesn’t matter, she allegedly said, as long as his phone disappears:

I just want him dead and his phone gone because, you know, we be texting back and forth.

She allegedly offered to pay the informant a third of the insurance money: $50,000. Then, she showed him a photo of L.G. and told him that the victim sleeps in his car – a Lexus – at night. She also allegedly showed the informant a tracking app on her phone that allows her to locate the victim on a map.

I can tell you when he over there. I can hit you from my other number, and be like O.K. Yeah, I’ll do that.

On 7 December, Turner was reportedly ready for L.G. to exit the world. What she allegedly texted to the fake hitman:

That fly needs to be swatted.

The next day, Turner allegedly told the informant that it had to be done soon, since L.G. was getting close to a new woman, and she was afraid she’d get yanked off his bank accounts and life insurance policy.

I’m like, oh no, we gotta get it done ASAP so we can still get that f**kin’ money.

Then, she took the informant on a tour of the places where L.G. tended to sleep in his car. Turner told him she wanted the victim killed the next week. When it was done, she told the hitman, she wanted him to let her know by using the code “Operation Dumbo.” After she got that code, she’d remove the tracking app from her phone, she said.

Turner allegedly said she’d pay the informant part of the money upfront – as soon as she got it from a credit card scam.

How did she get this good at getting away with murder? From TV, she allegedly told the informant.

You gotta beat them at they own game. I watch all that killer shows, so it tells you how to get away with sh*t. It tells you what to do.

Turner was arrested on 13 December and charged with murder-for-hire. She was due to be arraigned on 4 January.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0rweiVmjS98/

IBM has scrambled to fix the Meltdown and Spectre bugs, but has struggled to develop processes, reporting tools or reliable patches to get the job done for itself or its clients.

Internal documents seen by The Register reveal that Big Blue has ordered staff not to attempt any Meltdown/Spectre patches, but that the advice to do nothing is incorrect and needs to be changed. The documents also reveal that IBM is urging its people to stick to a script and use a pre-approved presentation when discussing Meltdown/Spectre remediation with customers. However neither the script nor the presentation has been completed or approved. Staff have been told to expect the documents “in coming days”.

The documents also report that patches for the twin CPU bugs are failing on Windows due to interactions with antivirus tools. That’s a known issue others have encountered. The documents also say some Red Hat Enterprise Linux servers aren’t rebooting after patching, which is of more concern given that Red Hat developed its own Meltdown/Spectre patches.

Staff have also been advised that there’s no documentation of such incidents: everything’s being done by word of mouth for now.

IBMers are therefore being urged to ensure client systems are thoroughly backed up before attempting patches, and even then to do so only after rigorous testing and securing users’ signoff of patching programs.

Big Blue’s remaining employees must also wait for reporting tools to track progress of Meltdown/Spectre fixes – as of early on January 9th they’re still being written … in Excel, suggesting that IBM’s services team find spreadsheets faster to implement than a more formal incident management tool. And that even the planet’s oldest IT services organisations just aren’t geared up for a sudden and massive patching effort of core computing infrastructure. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/ibm_melts_down/

Wi-Fi security should become a bit less laughable with the pending introduction of the WPA3 protocol this year.

In conjunction with this week’s commencement of CES – letters that once stood for Consumer Electronics Show and now come meaning-free – the Wi-Fi Alliance on Monday heralded the arrival of WPA3 as the successor to WPA2, the flawed but widely used network security protocol for Wi-Fi communication.

WPA2 has some problems. It allows anyone with a bit of software to boot people off a Wi-Fi network with a DEAUTH attack. And it’s not particularly secure.

The Wi-Fi Alliance – an industry group that counts Apple, Cisco, Intel, Microsoft, and Qualcomm among its many members – said it intends to keep hammering away at WPA2, even as it rolls out the protocol’s successor.

WPA3-certified devices should start appearing later this year. They will include features like improved protection when users choose weak passwords and improved security setup on devices with limited or no interface screens.

WPA3 will also support individualized data encryption. Via Twitter, Mathy Vanhoef, a postdoctoral computer security researcher at Belgium’s KU Leuven, speculates that this may be an implementation of Opportunistic Wireless Encryption (OWE), a proposed extension to the 802.11 wireless standard.

OWE implements a Diffie-Hellman key exchange during network sign-on and uses the resulting secret for the 4-way 802.11 handshake rather than the shared, public Pre-Shared Key (PSK) that can be easily exploited.

Vanhoef also suggests the improved password protection could take the form of Simultaneous Authentication of Equals (SAE), or Dragonfly, a password-based key exchange protocol for mesh networks.

In addition, there will be a 192-bit security suite, consistent with the the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, for Wi-Fi users with high security requirements, such as government organizations and businesses.

We’d point you to the NSA’s Information Assurance Directorate website discussing CNSA, but presently Chrome throws a certificate warning that “Your connection is not private.” Imagine that from an intelligence agency.

A spokesperson for the Wi-Fi Alliance told The Register in an email that further information will be made available once the WPA3 program launches. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/wi_fi_wpa3/

Microsoft’s fix for the Meltdown and Spectre bugs may be crocking AMD-powered PCs.

A lengthy thread on answers.microsoft.com records numerous instances in which Security Update for Windows KB4056892, Redmond’s Meltdown/Spectre patch, leaves some AMD-powered PCs with the Windows 7 or 10 startup logo and not much more.

Users report Athlon-powered machines in perfect working order before the patch just don’t work after it. The patch doesn’t create a recovery point, so rollback is little use and the machines emerge from a patch in a state from which rollback is sometimes not accessible. Some say that even re-installing Windows 10 doesn’t help matters. Others have been able to do so, only to have their machines quickly download and install the problematic patch all over again …

Those who have suffered from the putrid patch will therefore need to disable Windows Update as just about the first thing they do. Keeping the machine off networks seems a helpful precaution.

The Register cannot find a Microsoft response in the thread, a reasonable lack-of-reaction given many of the complaints accrued over the weekend.

AMD CPUs are immune to Meltdown but susceptible to Spectre, but the silver lining in that cloud has been dirtied by the patch problem. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_pcs/