Well SPIt, Intel firmware is a wee bit vulnerable

Subject: General Tech | April 16, 2018 - 01:24 PM | Jeremy Hellstrom
Tagged: uefi, SPI, security, Intel, bios

The one part of your computer you still rely on to be safe are firmware updates to your UEFI, but of course there are also cases where this too can prove to be vulnerable.  It seems there is a vulnerability in the way the the SPI flash is configured on on a variety of Intel CPUs stretching all the way back to Broadwell, straight through to the current chips.  There is good news as a patch for this vulnerability has already been provided to PC and motherboard manufactures according to the information over at Bleeping Computer so check for BIOS updates over the next while.  As this does stretch back to models which no longer receive regular updates, hopefully even those ancient devices will receive an update.

"According to Lenovo, who recently deployed the Intel fixes, "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware.""

Here is some more Tech News from around the web:

Tech Talk

• Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank @ Slashdot
• Thousands of Android apps may be collecting children's data illegally @ The Inquirer
• Sophisticated APT surveillance malware comes to Google Play @ Ars Technica
• Google is testing 'self-destruct' function for Gmail @ The Inquirer
• Exposed: Lazy Android mobe makers couldn't care less about security @ The Register
• Apple's leaked memo warns leakers to stop leaking leaks @ The Inquirer

Alphabet's Jigsaw Launches Outline: An Open Source and Simple To Use Proxy

Subject: General Tech | March 28, 2018 - 10:59 PM | Tim Verry
Tagged: vpn, socks5, shadowsocks, security, proxy, outline, encryption

Alphabet Inc (parent company of Google) through its Jigsaw subsidiary recently took the wraps off of Outline which is a simple to setup proxy based on the popular Shadowsocks project. Aimed at journalists, small companies, and individuals, Outline is an open source project that comes in two parts: a proxy server and client applications that help configure the connection.

While companies can take advantage of an advanced mode to install Outline's server components onto an existing cloud server or an internal private server, most users can opt for the basic setup which is about as simple as it gets. Currently, Outline integrates with Digital Ocean using Digital Ocean's API and after signing in and authorizing Outline to make changes, it automatically spins up the lowest cost droplet and sets everything up. You never need to SSH into the VPS to configure anything. Rather, what little configuration there is (not much!) is done using a GUI Outline Manager application on a client device. The connection between the management application and the server is encrypted using a self-signed SSL certificate.

The proxy server is based on a Shadowbox image that is imported using Docker and is kept up to date using Watchtower (which is also installed on the droplet) which checks every hour for updated images. A cron job is also automatically configured to run and apply security updates for the host Ubuntu operating system and reboot as needed. Finally, a web server for management of it is installed in a secret path and run on a random port and only responds to queries if the secret path is specified and only over SSL.

After watching Darren Kitchen and Shannon Morse over at Hak5 check it out, I decided to also fire it up to see if it really was that easy, and sure enough it is! The entire process is very simple taking only a few minutes (the longest step was finding my phone for the two factor authentications haha) and the management of it at least seems very hands off with the automated updates.

On the security front, Outline is a SOCK5 proxy that reportedly uses strong encryption with an AEAD 256-bit ChaCha2020 IETF Poly 1305 cipher which, according to Jigsaw, ticks all at least two boxes corners of the CIA triangle (confidentiality and integrity) along with authentication using the secure keys. I think the hardest part about maintaining that security is going to be sharing the access with others as you would need a secure channel of communication to share the needed information with. While you can generate the key easily enough for them, getting them their key for the client device could prove tricky if you are physically far away from them and do not already have a secure method of messaging (e.g. encrypted email) though for most people sending it through signal or a similar mobile app or encrypted skype/facebook/whatever while not the greatest plan is likely to prove secure enough that it balances security and convenience.

In November, Outline was audited by Netherlands-based Radically Open Security and you can find the non-profit's report here (PDF).

Things are even simpler on the client side, after adding the server using the access key, all they have to do is hit a single connect button to get things connnected for most modern web browsers and other apps that respect the set Windows registry key. Note that for Android and Chrome OS, Outline acts as a system-wide VPN, but for Windows only TCP traffic is secured and not all applications are supported yet. Support for passing UDP traffic through the SOCKS5 proxy and for system-wide VPN tunneling of all traffic is coming soon but right now the only UDP traffic that is passed through the proxy is DNS which is encrypted and uses the Outline server's defualt DNS resolver rather than passing outside fo the proxy and using the Windows-configured DNS and/or ISP's DNS.

In my case, after hitting connect, Chrome automatically configured the proxy settings and I was on my way. I did run into a hiccup with getting the Outline-client app, however. I was able to download it from the Outline website using Chrome and it installed fine, but when trying to grab it through the Get Connected option in the Outline Manager app, the download link opened automatically in Microsoft Edge which proceeded to flag the file as malicous and would not let me open it (heh). Hopefully they are able to get the false posiitive resolved as that may trip up normal users and make it harder to convince them to use your Outline proxy.

So far I have not run into any other problems with it and things are running smoothly. Web pages are finally loading as fast as they should be as well which makes me think the problems of super slow webpage loads were not with my computer but with Comcast messing with me (we are talking some pages taking a minute to load on a 90/10 connection, even simple ones like Google and Gmail). 

Outline is not a full VPN, but it is extremely easy to setup and share with others and may well be secure enough for most people. If you want to get a little more geeky, there is always OpenVPN which you can setup with a simple script or projects like Algo VPN or free (as in money) commercial solutions like Pro XPN or the built-in VPN in the Opera web browser. On the positive side, Outline does not store any logs (and since its your sever you can access it and monitor it to be sure) and Jigsaw/Alphabet/Google is up front about what information they do collect which includes server IP and non-identifiable information following crashes. Users can opt-in to sharing anonymous metrics but they do not have to and the default setting is off which is good. The downside is that right now it is still fairly new and not as vetted as some of the other options and while it is open source it is not necessarily free. In its best form which is slick setup using the Digital Ocean integration, it is $5 a month, but if you are privacy concious it may be money well spent and if you already have an existing server you can also use that though in that case the ease of configuration edge may not be as great and you may as well run OpenVPN unless you really dig the simple client apps and not having to manually copy and mange keys around to all your devices possibly in a non-GUI way.

Overall, it is a neat solution and I think it has promise. Hopefully if/when Google abandons it for its next big thing they let the community have at it. As of the today, Outline Manager is supported on Windows 7 (or newer) and Linux with Mac OS support coming soon. Outline supports client using apps for Windows 7 (or newer), Android, and Chrome OS with Mac OS and iOS apps coming soon. You can find both the Outline Manager and Outline Client at https://getoutline.org. If you do end up checking it out, let me know what you think about it. More screenshots can be found below.

Unmasking the Spectre; will the new patches cause a performance Meltdown?

Subject: General Tech | February 28, 2018 - 12:59 PM | Jeremy Hellstrom
Tagged: Intel, kaby lake, Skylake, security, spectre, meltdown

With the new improved Intel patches to protect against Spectre and Meltdown, The Tech Report made the effort to revisit the performance impact you can expect on a system with a Core i7-7700HQ and a Samsung PM961 512 GB NVMe SSD.  Javascript tests show a noticeable drop in performance and while PCMark Essentials total score showed a dip in performance the gaming specific tests did not.  It will be interesting to see if this levels the playing field between Ryzen and Skylake, as the performance delta is already very small.  Check out the full results here.

"Intel recently released stable microcode updates to mitigate the Spectre vulnerability on Skylake and newer CPUs. We ran back-to-back tests with and without the patch on one of our Kaby Lake systems to see just how much performance suffers in exchange for safety."

Here is some more Tech News from around the web:

Tech Talk

• EUV Defects Cited in 5-nm Node @ EE Times
• Intel pushes out stable Spectre fixes for Broadwell and Haswell machines @ The Inquirer
• You can Ring my bell: Amazon pays ONE BEEEEELLION+ dollars for smart home upstart @ The Register
• 4G found on Moon @ The Register

The new Skype, with assorted features you don't want and none of the ones you used to love

Subject: General Tech | February 13, 2018 - 01:23 PM | Jeremy Hellstrom
Tagged: microsoft, skype, security

The new Skype looks much like a child who swallowed far too many Halloween candies and happened to be facing a monitor during the inevitable outcome; a feature not many requested.  Also gone is the ability to program your own add-ins and apply them to Skype to enhance recording and a variety of other features which made the product useful.  Microsoft ended that when they took Skype over, however they offer some other less popular features.   One such is a vulnerability which allows the unsecure update process to be used to inject nasty DLLs to give SYSTEM level access to an attacker.  From what The Inquirer has been able to find out, Microsoft will not be releasing a patch for vulnerable versions but will instead release a new version at some point, without the vulnerability baked in. 

Conspicuosly absent from this discussion was the soon to be Team-ed Skype for Business which may or may not feature this particular problem.  As it updates through Office 365 it should be safe, but not many security execs are satisifed by 'should'.

"Long story short - there's so much code that would need to be rewritten that it isn't worth it to Microsoft to shore-up this version. What's not quite clear is whether this affects the grotesque UWP version of Skype or just the old desktop version."

Here is some more Tech News from around the web:

Tech Talk

• Will John Deere Finally Get Their DMCA Comeuppance? @ Hack a Day
• Meltdown's Linux patches alone add big load to CPUs, and that's just one of four fixes @ The Register
• Still not on Windows 10? Fine, sighs Microsoft, here are its antivirus tools for Windows 7, 8.1 @ The Register
• Amazon Echo Spot @ The Inquirer
• Bitcoin, Ethereum and Cryptocurrency: Ultimate Beginner’s Guide to Mining @ Kitguru
• You can resurrect any deleted GitHub account name. And this is why we have trust issues @ The Register
• AKRacing Solitude Gaming And Working Chair Review @ NikKTech

Why won't anyone believe there really are subliminal messages corrupting young digital assistants?

Subject: General Tech | January 31, 2018 - 01:04 PM | Jeremy Hellstrom
Tagged: siri, security, google, Alexa

Some of us are old enough to remember when certain parties were convinced there were subliminal messages in the music which kids listened to which they creatively blamed for a wide variety of behaviour.  This belief turned out to be as ridiculous as it sounds, though that doesn't stop it from recurring every couple of generations.  There is a somewhat similar and very real issue which The Register talks about here; using a deep neural net they were able to modify songs in such a way that digital assistants such as Echo, Siri and others would hear and execute a command while the humans in the room would only hear a slight distortion in the audio.  This particular method is much harder to protect against than the previously discovered vulnerability which was ultrasonic commands which a microphone could pick up but was well beyond the range of human hearing. 

You do need to reverse engineer the audio processing software of the digital assistant before you will be able to craft your hidden commands, however once that is done this is a very effective attack.

"The researchers tested a variety of in-song commands delivered directly to Kaldi as audio recordings, such as: "Okay Google, read mail" and "Echo, open the front door." The success rate of these was 100 per cent."

Here is some more Tech News from around the web:

Tech Talk

• Unsanitary Firefox gets fix for critical HTML-handling hijack flaw @ The Register
• Microsoft updates Office, OneDrive iOS apps with drag-and-drop, Files support @ Ars Technica
• LibreOffice 6.0 arrives as the open source Office alternative turns seven @ The Inquirer
• Samsung preps for Z-SSD smackdown on Intel Optane drives @ The Register
• Samsung is making ASIC chips for crypto mining to solidify its lead over Intel @ The Inquirer
• Inventing The Microprocessor: The Intel 4004 @ Hack a Day

Intel is hoping to find a way to kill the disease slightly more quickly than the patient

Subject: General Tech | January 22, 2018 - 03:14 PM | Jeremy Hellstrom
Tagged: Broadwell, haswell, Intel, security, meltdown, spectre

Spectre and Meltdown are about as bad as vulnerabilities can get, offering significant security issues on a wide variety of processors with only a band aid solution currently available.  It seems Intel is asking many clients to rip that band aid off as the supposed cure is now causing more widespread harm than the vulnerabilities it is to protect against.  This is not a case of performance decreases due to the patch but instead, as Intel executive vice president Neil Shenoy puts it, the patch "may introduce higher than expected reboots and other unpredictable system behaviour."  This means that not only new machines powered by Broadwell or Haswell are unprotected but also that many of your service providers will also not be installing these patches.

There is no good news out of this today, the difficulty a widespread attack is high but a targeted attack; not so much.

"We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior."

Here is some more Tech News from around the web:

Tech Talk

• Linus Torvalds slams Intel's Spectre and Meltdown fixes as 'garbage' @ The Inquirer
• Uber shrugs off flaw that lets hackers bypass two-factor authentication @ The Inquirer
• Synology Surveillance Station: Home Security At Its Best @ Modders-Inc
• Stop Those Annoying Browser Prompts Asking for Your Location or to Send Notifications @ Techspot
• Nitro Concepts S300 Gaming Chair @ Kitguru

Intel Responds to Reboot Issues with Meltdown and Spectre Updates

Subject: Processors | January 18, 2018 - 01:17 PM | Sebastian Peak
Tagged: update, spectre, security, restart, reboot, processor, patch, meltdown, Intel, cpu

The news will apparently get worse before it gets any better for Intel, as the company updated their security recommendations for the Spectre/Meltdown patches for affected CPUs to address post-patch system restart issues. Specifically, Intel notes that issues may be introduced in some configurations with the current patches, though the company does not recommend discontinued use of such updates:

" Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations".

Image credit: HotHardware

The recommendation section of the security bulletin, updated yesterday (January 17, 2018), is reproduced below:

• Intel has made significant progress in our investigation into the customer reboot sightings that we confirmed publicly last week
• Intel has reproduced these issues internally and has developed a test method that allows us to do so in a predictable manner
• Initial sightings were reported on Broadwell and Haswell based platforms in some configurations. During due diligence we determined that similar behavior occurs on other products including Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake based platforms in some configurations
• We are working toward root cause
• While our root cause analysis continues, we will start making beta microcode updates available to OEMs, Cloud service providers, system manufacturers and Software vendors next week for internal evaluation purposes
• In all cases, the existing and any new beta microcode updates continue to provide protection against the exploit (CVE-2017-5715) also known as “Spectre Variant 2”
• Variants 1 (Spectre) and Variant 3 (Meltdown) continue to be mitigated through system software changes from operating system and virtual machine vendors
• As we gather feedback from our customers we will continue to provide updates that improve upon performance and usability

Intel recommendations to OEMs, Cloud service providers, system manufacturers and software vendors

• Intel recommends that these partners maintain availability of existing microcode updates already released to end users. Intel does not recommend pulling back any updates already made available to end users
• NEW - Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations
• NEW - We further recommend that OEMs, Cloud service providers, system manufacturers and software vendors begin evaluation of Intel beta microcode update releases in anticipation of definitive root cause and subsequent production releases suitable for end users

Intel recommendations to end users

• Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied
• For PCs and Data Center infrastructure, Intel recommends that patches be applied as soon as they are available from your system manufacturer, and software vendors
• For data center infrastructure, Intel additionally recommends that IT administrators evaluate potential impacts from the reboot issue and make decisions based on the security profile of the infrastructure

Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop software updates that can help protect systems from these methods. End users and systems administrators should check with their operating system vendors and apply any available updates as soon as practical.

The full list of affected processors from Intel's security bulletin follows:

• Intel® Core™ i3 processor (45nm and 32nm)
• Intel® Core™ i5 processor (45nm and 32nm)
• Intel® Core™ i7 processor (45nm and 32nm)
• Intel® Core™ M processor family (45nm and 32nm)
• 2nd generation Intel® Core™ processors
• 3rd generation Intel® Core™ processors
• 4th generation Intel® Core™ processors
• 5th generation Intel® Core™ processors
• 6th generation Intel® Core™ processors
• 7th generation Intel® Core™ processors
• 8th generation Intel® Core™ processors
• Intel® Core™ X-series Processor Family for Intel® X99 platforms
• Intel® Core™ X-series Processor Family for Intel® X299 platforms
• Intel® Xeon® processor 3400 series
• Intel® Xeon® processor 3600 series
• Intel® Xeon® processor 5500 series
• Intel® Xeon® processor 5600 series
• Intel® Xeon® processor 6500 series
• Intel® Xeon® processor 7500 series
• Intel® Xeon® Processor E3 Family
• Intel® Xeon® Processor E3 v2 Family
• Intel® Xeon® Processor E3 v3 Family
• Intel® Xeon® Processor E3 v4 Family
• Intel® Xeon® Processor E3 v5 Family
• Intel® Xeon® Processor E3 v6 Family
• Intel® Xeon® Processor E5 Family
• Intel® Xeon® Processor E5 v2 Family
• Intel® Xeon® Processor E5 v3 Family
• Intel® Xeon® Processor E5 v4 Family
• Intel® Xeon® Processor E7 Family
• Intel® Xeon® Processor E7 v2 Family
• Intel® Xeon® Processor E7 v3 Family
• Intel® Xeon® Processor E7 v4 Family
• Intel® Xeon® Processor Scalable Family
• Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
• Intel® Atom™ Processor C Series
• Intel® Atom™ Processor E Series
• Intel® Atom™ Processor A Series
• Intel® Atom™ Processor x3 Series
• Intel® Atom™ Processor Z Series
• Intel® Celeron® Processor J Series
• Intel® Celeron® Processor N Series
• Intel® Pentium® Processor J Series
• Intel® Pentium® Processor N Series

We await further updates and developments from Intel, system integrators, and motherboard partners.

MSI motherboards BIOS versions with updated security microcode

Subject: Motherboards | January 17, 2018 - 09:56 PM | Jeremy Hellstrom
Tagged: msi, spectre, meltdown, bios, update, security

MSI have released updated BIOS versions for their Z370 motherboards to protect against Meltdown and Spectre which you can grab here.

These patches are live now, with new BIOS versions in the works for the renaming series, including all X299, 200, 100-series and X99 series including the various X, H and B sub-series motherboards.  The list is quite impressive, follow that link to see if your board will be getting an update in the near future.  The page lists the version number of the upcoming BIOS you will need, so keep an eye on this page and MSI for the official release.