On Monday Intel and Microsoft disclosed a newly found variant of the Spectre and Meltdown security flaws, revealing another vulnerability in chips used in hundreds of millions of computers and mobile devices.
Intel is calling the new strain "Variant 4." While this latest variant taps into many of the same security vulnerabilities that were first revealed in January, it uses a different method to extract sensitive information.
Spectre and Meltdown have continued to haunt companies like Intel, Arm and AMD, which have produced chips with the flaws for everything from computers and laptops to mobile devices. The vulnerabilities, which could allow attackers to read sensitive information on your CPU, affected hundreds of millions of chips from the last two decades. While companies like Intel, Apple and Microsoft have issued updates to patch the flaws, the fixes haven't always worked as intended, sometimes causing computer problems.
Hackers often scour online for vulnerabilities that'll allow them to carry out attacks. The WannaCry ransomware attack, for example, took advantage of Windows computers whose owners never implemented a Microsoft patch.
The newly found variant uses something called "Speculative Store Bypass," which could allow your processor to load sensitive data to potentially insecure spaces.
In the US-CERT's advisory, officials said the new flaw would enable attackers to read older memory values on your CPU.
The company said it hasn't actually seen this vulnerability used by hackers, and that it's releasing a complete fix for the flaws over the coming weeks. Intel's executive vice president of security, Leslie Culbertson, said in a post that Intel has already made the update available for manufacturers and software vendors.
Don't be deceived by marketing talk however: it looks like the patch will indeed affect performance. While Intel says they don't expect the patch to affect computer performance, they have acknowledged that performance on the company's test systems dropped between 2 and 8 percent after applying the patch.
The fix is designed to be turned off by default, according to Intel, and it'll be up to vendors to enable it.
Sent to us by: Jeff Weston
The University of Greenwich has been fined £120,000 by the Information Commissioner—roughly $160,000 USD—for a data breach that happened 14 years ago.
The fine was for a security breach in which the personal data of 19,500 students was placed online.
The data included names, addresses, dates of birth, phone numbers, signatures and—in some cases—physical and mental health problems.
It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.
The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as "serious."
In a statement, the university said it would not appeal against the decision.
It said it had carried out "an unprecedented overhaul" of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.
It also said the fine would be reduced to £96,000 with a prompt payment discount.
Sent to us by: Roy W. Nash
Social networking giant and market-leading data broker Facebook is once again taking heat for playing fast and loose with its access to personal information.
This time, it's the Facebook Android app that is under the spotlight after folks noticed it requesting an extraordinary amount of access privileges: specifically, requesting "superuser" access to a device, granting it full control over a handheld.
For Android devices, the "superuser" classification would basically grant an app full access to the device and data stored on it.
Researchers who have examined Android's code have suggested it could be due to the SDKs used by some new features.
Facebook has since posted a statement saying, “A coding error in one of our anti-fraud systems caused a small number of people running the Facebook app and certain permission management apps on rooted Android phones to see a request for additional access permissions. We do not need or want these permissions, and we have already fixed this issue. We apologize for any confusion.”
The situation is reminiscent however of the 2016 findings that Facebook's app was getting microphone access for the placement of ads, and comes at a potentially bad time for Facebook, who is trying to re-gain trust of its users after the recent revelations surrounding Cambridge Analytica.
Sent to us by: Roy W. Nash