This week in computer security

According to this article in German language https://www.heise.de/security/meldun…r-3926842.html Hackkers managed to send a Ransom Trijan via Police mails.
The article points towardss this document as source : http://www.documentcloud.org/documen…Affidavit.html
The article alöso says that those hackers got arrested already.

Are police mails just forgery of emails or something different ?
-
read article. Vaguely that sounds like old news. The software for this stuff is really lame and easy to hack (from what I remember reading - what's that conference they have with the hackers). In fact they demonstrated that you could hack even 'secure' voting systems in under 20 minutes with no prior knowledge of the system. Some of it is just using windows known exploits and some of it is the lameity of how these systems are secure and lack of secure transport layers.

Intel has a major security flaw, and the fix looks pretty ugly.

http://www.bbc.com/news/technology-42553818

EDIT: A separate flaw also affect AMD and ARM.

https://www.reuters.com/article/us-c…-idUSKBN1ES1BO

@Ripper - bad stuff all around….Interesting to see that AMD has another security issue: the glee expressed by some AMD supporters was quite disgusting. The general view was that AMD was immune to security issues and superior in every way etc etc. The word hubris springs to mind :-)

Well there are two different flaws. The 'amd' flaw; from my reading sounds less like a chip flaw and software running on amd processor flaw so I will give them a pass here. Also this 'flaw' is very difficult to utilize so on first reading success rate via hackers will be low (success is obtaining sensitive information once a virus is installed). The first flaw is much more serious and is a hardware level bug. Shame on intel.

[I run intel processors not amd].

Originally Posted by booboo
@Ripper - bad stuff all around….Interesting to see that AMD has another security issue: the glee expressed by some AMD supporters was quite disgusting. The general view was that AMD was immune to security issues and superior in every way etc etc. The word hubris springs to mind :-)

Both flaws are related, in that they potentially allow speculative operations on the CPU to be exploited. The Intel case is more serious, as it allows speculative operations access to kernel memory in a way which can bypass the security checks, which is very dangerous. The Spectre exploit that affects all major CPUs is similar, but only allows for more difficult attacks that may be less practical. There is a suggestion that speculative CPU operations may now be generally considered insecure in their current form, which would be a big problem.

The Intel exploit, being so nasty, requires a very heavy-handed fix on the OS, in which the efficient method of switching from kernel mode to user mode must be abandoned in favor of a more rigid and inefficient, but safer, technique. This will result in a performance penalty in some situations, which could be significant. Hopefully, because games are largely user mode tasks, any impact will be minimal.

Exactly what you said in the last sentence.
Gamers shouldn't care about these vulnerabilities at all.

That's what they are saying, but I'm going to wait and see before applying the patch. If I hear about major slow downs in games or just everyday computing, I will not get the patch.

I think it'll be hard to avoid the patch - I expect MS will force it as a mandatory update to the kernel. I've heard, though, that there will be an option to boot into insecure mode, which will be vulnerable, but faster.

They are only related in that they potentially allow access to sensitive information outside of the program address space. They are - from a technical perspective - that is how they obtain this information - unrelated.

Originally Posted by Ripper
Both flaws are related, in that they potentially allow speculative operations on the CPU to be exploited. The Intel case is more serious, as it allows speculative operations access to kernel memory in a way which can bypass the security checks, which is very dangerous. The Spectre exploit that affects all major CPUs is similar, but only allows for more difficult attacks that may be less practical. There is a suggestion that speculative CPU operations may now be generally considered insecure in their current form, which would be a big problem.

The Intel exploit, being so nasty, requires a very heavy-handed fix on the OS, in which the efficient method of switching from kernel mode to user mode must be abandoned in favor of a more rigid and inefficient, but safer, technique. This will result in a performance penalty in some situations, which could be significant. Hopefully, because games are largely user mode tasks, any impact will be minimal.

Originally Posted by you
They are only related in that they potentially allow access to sensitive information outside of the program address space. They are - from a technical perspective - that is how they obtain this information - unrelated.

I would say they are closely related, in that they are variants of essentially the same problem. Have a look at Google's own technical assessment.

https://googleprojectzero.blogspot.n…with-side.html

Both vulnerabilities are classified under a single article as "Reading privileged memory with a side-channel", and they go so far as to define Spectre as variants 1 and 2, and Meltdown as variant 3. Both vulnerabilities occur due to a lack of security in the speculative execution behavior of modern CPUs. I think it's fair to say they are related from a "technical perspective".

Before any of these are possible, your PC needs to be compromised first. You need to (unknowingly) install something. Also it can read memory it does not have access to, but that memory does not necessarily have to contain any information that is usable. It could, but it all depends on what you do on your PC.
Obviously, a lot of people do not take security that seriously, I understand quite a number of people don’t even patch their OS, so it will definitely have its impact.

For PCs, the best solution would be for Intel to deliver processor chips where the issues are fixed, but they probably would like to sell their stock first.

From what I've read, although Intel could improve their chips to protect against the Meltdown variant, getting rid of the wider class of Spectre vulnerabilities could be a much taller order, and require going back to the drawing board on some key aspects of current CPU design. Could take years.

Well this is nasty. Someone demonstrated how to use spectre security weakness via javascript….

Nasty indeed. The browser manufacturers are scrambling to introduce measures that will block or make harder the javascript attacks, but this still leaves us in a very unsatisfactory and unsafe position. This relies upon the correctness of the browser - any bugs, flaws, or unknown attacks could still allow access to kernel memory of the system, and potentially escalate privilege to own the system.

Originally Posted by joxer
Exactly what you said in the last sentence.
Gamers shouldn't care about these vulnerabilities at all.

Yeah - well, in a direct sense anyway, I don't think this is any more terrible than any of the 100 latest virusi that popped up. I guess BOINC may run slower after the patch but no big deal there.

Indirect issues are another matter… like my electric company giving away my bank account info because the supposedly secure cloud service they use to process it gives it away to an abusive process running at the same time.

Fortnight us doing an upgrade to fix the issue: http://www.pcgamer.com/fortnite-serv…eltdown-patch/

XKCD 'explanation' of the new issue.

https://xkcd.com/1938/

Microsoft reports that older hardware (haswell and earlier) will see significant slowdown (esp under versions of windows older than windows 10).
https://www.engadget.com/2018/01/09/…rformance-hit/

Originally Posted by you
Microsoft reports that older hardware (haswell and earlier) will see significant slowdown (esp under versions of windows older than windows 10).
https://www.engadget.com/2018/01/09/…rformance-hit/

Yes, it's not good. In Linux land, where things are more open, there's been a lot of benchmarking with the new patches on various workloads. There seems to be three main patches: KPTI - which enforces stricter and slower segregation of kernel and user memory for Meltdown, Retopoline - which frustrates some variants of Spectre, and the microkernel updates. Taken together, the impact is pretty heavy in some scenarios, and degrades general performance to some degree.

Yep, if you are like me and many others who are holding onto windows 7 come hell or high water, this "fix" hits those systems hard. No way in hell am I downloading this patch.

Not only that, but there are reports that the patch itself is causing blue screens and microsoft had to remove it just to fix the patch. This is just one more reason why I hate the new versions of windows, because it is all about auto-patching and microsoft took the control away from the user. I always have the windows update to notify me only, and then I decide whether to get the patches, just in case microsoft releases crap like this.

The patch is called "2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894)" for those who want to avoid it.