STE WILLIAMS

The flagship of the Royal Navy, HMS Ocean, has been sold to Brazil for £84m, the South American country’s government has confirmed.

The 22,000-tonne helicopter carrier, which returned from her last British deployment to the Caribbean just weeks ago, will be formally decommissioned from the RN in spring this year.

Although it was well known that Ocean was up for sale and that Brazil (as well as Turkey) were interested in buying the 20-year-old warship, confirmation of the deal and the purchase price were all “known unknowns” until now.

The news was broken by defence blog UK Defence Journal, citing a Brazilian journalist.

The Brazilian Navy’s end-of-year roundup statement, published on Christmas Eve 2017, also included the line: “Minister Raul Jungmann and the Brazilian Navy Commander Eduardo Bacellar Leal Ferreira took the opportunity to announce the purchase of the Royal Navy’s HMS Ocean multifunction vessel, valued at £84m sterling.”

A British Ministry of Defence spokesman told El Reg: “Discussions with Brazil over the long-planned sale of HMS Ocean are at an advanced stage, but no final decisions have been made. HMS Ocean has served admirably with us since 1998 and the revenue she generates will be reinvested in defence as we bolster our Royal Navy with two types of brand new frigates and two huge aircraft carriers.”

In 2012 Ocean was given a two-year, £65m refit, extending her life by three years. While this refit cycle could potentially continue for more years to come, the MoD simply doesn’t have the budget to keep her in service – especially as ever more machinery on the hard-worked old ship needs deep maintenance or replacing.

Selling the ship gives a net benefit to the taxpayer over the last three years alone of £20m, which (very approximately) covers the running costs of two frigates for one year. The longer-term financial benefits will be felt by not having to stump up the £12m annual running cost (see “LPH Ocean Class”) of the ship herself.

Sunset of the ‘Mighty O’

Built for £150m in the mid-1990s and commissioned in 1998, Ocean has a dual role as an amphibious landing ship and a helicopter carrier. Her primary purpose in times of war is delivering a unit of Royal Marines to wherever in the world they are needed, whether by using helicopters flying from her large, flat deck, or landing craft operating from her midships davits and her stern ramp.

HMS Ocean on her last deployment to the Caribbean. Note landing craft hanging from the davits; the stern ramp is folded up in this picture. Crown copyright/LPhot Kyle Heller

Some controversy surrounded her build costs, with one of the bidders being accused of submitting an artificially low bid in order to win. Nonetheless, the ship was built to civilian standards, something which not only made her cheaper but also gave her a shorter expected service life than most British warships.

It is expected that Ocean will undergo a comprehensive refit in the UK to Brazil’s specifications before she departs for a new life under a new name.

The old helicopter carrier has just been supplanted as the RN’s sole flat-top by HMS Queen Elizabeth, the new F-35 aircraft carrier. Though Big Liz will eventually become a capable warship in her own right, she was not designed as an amphibious warfare vessel; the ability to deliver large numbers of British personnel onto a potentially hostile shore now rests solely with the two dedicated Albion-class warships, only one of which is ever in service at any given time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/03/hms_ocean_sold_brazil/

The festive period was accompanied by the usual security shenanigans including breaches, cybercrime busts and serious security bugs.

Those security pros returning to work this week after a well-earned break may or (may not) be relieved to know it’s largely been business as usual.

Over in the United States, half a dozen of the country’s senators have teamed up (PDF) on a bipartisan effort to prevent hackers from tampering with election results. Senators James Lankford (Republican-Oklahoma), Amy Klobuchar (Democrat-Minnesota), Kamala Harris (Democrat-California), Susan Collins (Republican-Maine), Martin Heinrich (Democrat-New Mexico), and Lindsey Graham (Republican-South Carolina) teamed up to craft a potential Secure Elections Act.

The bill includes requirements that the government provide states with any intel it has on possible election-hacking threats as well as sets up a procedure for state officials to get security clearance to view these intelligence reports. It also provides grant money to help states cover the cost of switching from electronic-only voting machines to more secure models that leave a paper trail of activity.

In true US government fashion, the two parties combined to give a wonderfully wishy-washy summary of the election hacking landscape:

During the 2016 election, intelligence reports have factually established that Russia hacked presidential campaign accounts, launched cyberattacks against at least 21 state election systems, and attacked a US voting systems software company. While there is no evidence that a single vote outcome was tampered with, this dangerous precedent should be a wake-up call as we head into the 2018 election cycle.

Meanwhile, Guy Fawkes mask-wearing hacker collective Anonymous reportedly hacked an Italian speed camera database. Hacktivists hijacked a police email and database system in Corregio, Italy and deleted speed camera tickets.

In an unrelated case, two Romanian nationals were charged with hacking CCTV cameras ahead of US pres Donald Trump’s inauguration, CNN reports. A link to the criminal complaint can be found here (pdf).

Elsewhere in the world of cybercrime investigation, a suspect purported to be part of an email scam ring styling itself as a Nigerian prince was arrested. A police charge sheet shows that a 67-year-old pensioner from Louisiana – rather than a resident of Lagos and surrounds – was charged with 269 counts of Wire Fraud and Money Laundering, as USA Today reports. The police report does maintain that law enforcement officers are also looking into suspected “co-conspirators in the Country of Nigeria”, so there’s that…

Just before the new year, John McAfee claimed his Twitter account had been hacked to encourage his followers to purchase, er, lesser-known cryptocurrencies. McAfee said the incident was Twitter’s fault, and not his, because of its failure to get to grips with fake accounts.

The incident raised more than a few raised eyebrows among security watchers, such as Graham Cluley. “The real John McAfee is no stranger to tweeting about which cryptocurrency his followers should invest in, so the ‘hacker’ certainly wasn’t entirely clueless about how to blend in with the security veteran’s regular postings,” Cluley opined.

Back in the world of the more tangible, the new year brought with it the disclosure of a macOS kernel flaw along with an accompanying proof-of-exploit on Github by bug-sniffer “Siguza”, who suggests it has been around for quite a while.

With nasty flaws, social media hacks and cybercrime arrests, it’s reasonable to say that the festive period was largely a continuation of the 12 months that proceeded it.

Keep being weird, infosec. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/03/security_catch_up/

Clothing chain Forever 21 has admitted a malware infection on its cash registers swiped customer payment card details for most of last year.

The retailer issued a statement revealing that from how last year, from April 3 to November 18, hackers were able to harvest the payment card details from point of sale (POS) terminals in its stores.

According to Forever21, the crimeware was present at various times on machines throughout the seven-month period with some machines being infected for most or all of that time. Additionally, Forever 21 said, the malware was able to get into appliances that stored transaction log in the stores so it could potentially access cards read by machines that were not themselves infected.

Perhaps most infuriating to victims is the fact that Forever 21 actually had encryption tools installed to secure those sales records from prying eyes, but not running, on the infected machines and log storage systems.

“Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations,” the company said.

“When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.”

The company notes that its online store and its stores outside of the US use different payment systems that were not exposed to the malware.

Those who shopped at Forever 21 stores between April and November should keep a close eye on their bank and credit card statements, and report any suspicious activity. One tiny saving grace is that in many cases the card numbers, security codes, and expiration dates were obtained, but the cardholder names were rarely disclosed.

Forever 21 said it is working with its payment processors, the developer of the breached POS systems, and law enforcement to further investigate the cyber-break-in.

The clothing shop is far from alone in falling victim to these sort of attacks. POS infections have become an increasingly common way for crooks to conduct large-scale harvesting of payment card details. The targets have ranged from hotel chains like Hilton to big-box retailer Target and even restaurant chains. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/03/forever_21_hacked/

A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we’re looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit.

PostgreSQL SELECT 1 with the KPTI workaround for Intel CPU vulnerability https://t.co/N9gSvML2Fo

Best case: 17% slowdown

Worst case: 23%

— The Register (@TheRegister) January 2, 2018

Similar operating systems, such as Apple’s 64-bit macOS, will also need to be updated – the flaw is in the Intel x86 hardware, and it appears a microcode update can’t address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder.

Details of the vulnerability within Intel’s silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft’s Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue.

However, some details of the flaw have surfaced, and so this is what we know.

Impact

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the contents of protected kernel memory.

The fix is to separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel’s code and data remains out of sight but present in the process’s page tables.

Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.

These KPTI patches move the kernel into a completely separate address space, so it’s not just invisible to a running process, it’s not even there at all. Really, this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon that allows kernel access protections to be bypassed in some way.

The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel’s overhead, and slows down the computer.

Your Intel-powered machine will run slower as a result.

How can this security hole be abused?

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data.

Specifically, in terms of the best-case scenario, it is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory.

If you randomize the placing of the kernel’s code in memory, exploits can’t find the internal gadgets they need to fully compromise a system. The processor flaw could be potentially exploited to figure out where in memory the kernel has positioned its data and code, hence the flurry of software patching.

However, it may be that the vulnerability in Intel’s chips is worse than the above mitigation bypass. In an email to the Linux kernel mailing list over Christmas, AMD said it is not affected. The wording of that message, though, rather gives the game away as to what the underlying cockup is:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

A key word here is “speculative.” Modern processors, like Intel’s, perform speculative execution. In order to keep their internal pipelines primed with instructions to perform, the CPU cores try their best to guess what code is going to be run next, fetch it, and execute it.

It appears, from what AMD software engineer Tom Lendacky was suggesting above, that Intel’s CPUs speculatively execute code potentially without performing security checks. It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.

That would allow ring-3-level user code to read ring-0-level kernel data. And that is not good.

The specifics of the vulnerability have yet to be confirmed, but consider this: the changes to Linux and Windows are significant and are being pushed out at high speed. That suggests it’s more serious than a KASLR bypass.

Also, the updates to separate kernel and user address spaces on Linux are based on a set of fixes dubbed the KAISER patches, which were created by eggheads at Graz University of Technology in Austria. These boffins discovered [PDF] it was possible to defeat KASLR by extracting memory layout information from the kernel in a side-channel attack on the CPU’s virtual memory system. The team proposed splitting kernel and user spaces to prevent this information leak. Their work was reviewed by Anders Fogh, who wrote this interesting blog post in July.

That article described his attempts to read kernel memory from user mode by abusing speculative execution. Although Fogh was unable to come up with any working proof-of-concept code, he noted:

My results demonstrate that speculative execution does indeed continue despite violations of the isolation between kernel mode and user mode.

It appears the KAISER work is related to Fogh’s research, and as well as developing a practical means to break KASLR by abusing virtual memory layouts, the team may have proved Fogh right – that speculative execution on Intel x86 chips can be exploited to access kernel memory.

Shared systems

The bug will impact big-name cloud computing environments including Amazon EC2, Microsoft Azure, and Google Compute Engine, said a software developer blogging as Python Sweetness in this heavily shared and tweeted article on Monday:

There is presently an embargoed security bug impacting apparently all contemporary [Intel] CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.

There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine…

Microsoft’s Azure cloud – which runs a lot of Linux as well as Windows – will undergo maintenance and reboots on January 10, presumably to roll out the above fixes.

Amazon Web Services also warned customers via email to expect a major security update to land on Friday this week, without going into details.

There were rumors of a severe hypervisor bug – possibly in Xen – doing the rounds at the end of 2017. It may be that this hardware flaw is that rumored bug: that hypervisors can be attacked via this kernel memory access cockup, and thus need to be patched, forcing a mass restart of guest virtual machines.

A spokesperson for Intel was not available for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/