A side-channel leak in Intel's Skylake and Kaby Lake chips allow attackers to pilfer crypto keys, and the issue probably affects AMD CPUs, too.
Over the past 11 months, the processors running our computers, and in some cases phones, have succumbed to a host of attacks. The exploits threaten to siphon some of our most sensitive secrets—say passwords or cryptographic keys—out of the silicon microarchitecture in ways that can’t be detected or stopped by traditional security defenses. On Friday, researchers disclosed yet another leak that has already been shown to exist on a wide range of Intel chips and may also affect other makers, too.
PortSmash, as the new attack is being called, exploits a largely overlooked side-channel in Intel’s hyperthreading technology. A proprietary implementation of simultaneous multithreading, hyperthreading reduces the amount of time needed to carry out parallel computing tasks, in which large numbers of calculations or executions are carried out simultaneously. The performance boost is the result of two logical processor cores sharing the hardware of a single physical processor. The added logical cores make it easier to divide large tasks into smaller ones that can be completed more quickly.
In a paper scheduled for release soon, researchers document how they were able to exploit the newly discovered leak to recover an elliptic curve private key from a server running an OpenSSL-powered TLS server. The attack, which was carried out on servers running Intel Skylake and Kaby Lake chips and Ubuntu, worked by sending one logical core a steady stream of instructions and carefully measuring the time it took for them to get executed.
The specific timing allowed PortSmash to deduce the key being processed in another logical core of the same processor.
The researchers feel remote login scenarios are the biggest targeted threat. In this scenario, a malicious user with credentials logs in via SSH, for example, then compiles the exploit code, and runs it to extract information from other processes running in parallel.
PortSmash currently poses a threat mainly to people using computers or services that allow untrusted people to use the same physical processor. These users should pay close attention to the research and carefully consider the recommendations. For the time being, the risk to others is likely low, but that could change with more research.
Sent to us by: Roy W. Nash
Iran apparently infiltrated the communications network of CIA agents who allowed their secret websites, used to exchange messages with informants, to be crawled by Google.
The communications leak was believed to have stemmed from a simple Google search. Suspecting the US had agents and sources within its nuclear program, Iran began to hunt for the mole. After a double agent showed Iran's government one of the sites, they were then able to use Google to identify other sites the intel agency was using, and began to intercept their communications.
Essentially, each of the websites had common elements between them that were found using Google searches. Identify one common element; identify all the sites using that material to link them up.
The report from Yahoo! News states, "Because Google is continuously scraping the internet for information about all the world’s websites, it can function as a tremendous investigative tool — even for counter-espionage purposes"
Once Iran was able to track down the sites, their techniques were given to other friendly countries, who in turn used the information to weed out the CIA's communications channels in their own territories as well.
Sadly, this has lead to the capture and execution of at least 30 agents.
An official quoted in the report claims the agency had become too reliant on the system, which was originally intended to only be a temporary communications channel, and had left the relatively insecure site up far longer than intended and used it to send information that should have been reserved for more secure channels.
The official says, "The issue was that it was working well for too long, with too many people."
A defense contractor for the CIA claims he warned the agency that it was using insecure communications systems in 2008, and again in 2010 when he started to suspect the channels had been cracked. A year later he was sidelined and fired by the agency, a move he claims was retaliation for not shutting up.
Sent to us by: Roy W. Nash
Several popular verified Twitter accounts have been hacked by scammers to promote an ad using Tesla boss Elon Musk's name and likeness.
British fashion retailer Matalan, film distributor Pathe UK and US publisher Pantheon Books were among those whose accounts were taken over by scam artists.
The scam used promoted tweets - where Twitter is paid by advertisers to make a tweet appear to a wider audience.
Scammers targeted several "verified" accounts (denoted with a blue tick) and changed the name and image to that of Mr Musk.
The tweet then urged users to part with a small amount of Bitcoin - a digital currency - to supposedly receive more.
Several other verified accounts, which were also taken under the scam artists' control, appear in the tweet's comments to claim that they have received Bitcoin from Mr Musk.
By using accounts with Twitter's own verification mark (a blue tick), it makes the account appear legitimate at first glance and thus may fool the reader into thinking it is official.
The scam is made to seem more trustworthy as various other compromised accounts reply to the tweet claiming that it works.
But many of the posts still bear the hallmarks of classic scams - including frequent spelling errors -- like "Bitcoic" and "suppoot" -- and a request for money.
The account handle itself is also incorrect - a legitimate tweet from Elon Musk would read @elonmusk beside the blue tick. In this case, it reads @patheuk - as the account originally belonged to film distributor Pathe UK.
The tweets have since been deleted with many accounts recovered, though some were left blank while waiting for their owners to re-enter their name and profile picture.
Sent to us by: Roy W. Nash
One of our favorite SBC makers is now making an affordable Linux-powered smartphone and tablet with KDE Plasma--and we have the inside scoop.
Following the demise of Ubuntu Phone, Purism’s Librem 5 seems like the next big thing in the budding world of Linux smartphones. Purism has already partnered with big names like GNOME and KDE, and we can expect the device to start shipping in April 2019.
That said, it seems like another hardware vendor is looking to develop its own Linux smartphone, and it's a company we already know and love!
Pine64 is working to create inexpensive Linux-based smartphones and tablets.
KDE Neon creator Jonathan Riddell revealed this at Open Source Summit, Europe Edition. Pine64 founder TL Lim confirmed to "It’s FOSS" that the devices are called PinePhone and PineTab.
PINE64 Community Admin, Lukasz Erecinski tells us that the early PinePhone development kits have already been sent to key developers. Active development should start next week. The PineTab is almost complete and is awaiting relevant software support.
For the PinePhone, while the details won't be officially announced until FOSDEM in February, here's what we know...
It runs Linux, there will be support from more than 2 different major projects on launch, it has a 1440x720p IPS panel screen and sleek, modern design features, the front and back cameras are 5 Megapixels each, they're aiming for higher-end production materials, with hopes of a gorilla glass sandwich -- with glass on both the front and back of the PinePhone.
Pine64 plans to implement a better I/O into the PinePhone than is available on most commercially available phones, and the design is modular, allowing the swapping and upgrading of components such as the LTE capabilities.
The PinePhone will be priced between $150-179 USD and will be available -- barring any unexpected delays -- as early early as late 2019.
There isn't a lot of information available about the PineTab just yet as it's still being developed, and the official announcement will go out at FOSDEM next year as well, but we do know it has a 720p IPS panel, and is built for education and budget use, with a target price of about $100 USD.
One cool feature we can reveal about the PineTab is that it includes a magnetic keyboard that connects to the PineTab with pogo pins to USB, and doubles as a protective cover.
Sent to us by: Roy W. Nash