Security News

'Beyond stupid': Linus Torvalds trashes 5.8 Linux kernel patch over opt-in Intel CPU bug mitigation
2020-06-02 12:19

Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data CPU cache. The patch from AWS engineer Balbir Singh was to provide "An opt-in mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

'Beyond stupid': Linus Torvalds trashes 5.8 Linux kernel patch over opt-in Intel CPU bug mitigation
2020-06-02 12:19

Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data CPU cache. The patch from AWS engineer Balbir Singh was to provide "An opt-in mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

Alliant and ACA Aponix unveil a new cybersecurity risk mitigation and transfer solution offering
2020-05-22 01:00

Alliant Insurance Services announced the launch of a new cybersecurity risk mitigation and transfer solution offering, PortCo Protect. "Uniting ACA's proprietary assessment risk index with our risk modeling and analytics services was a win-win," said Sandy Crystal, Executive Vice President, Alliant Specialty.

SecureTrust launches cloud-based PCI compliance and risk mitigation platform
2020-05-11 02:30

SecureTrust, a division of Trustwave, announced SecureTrust PCI Manager, a cloud-based platform delivering Payment Card Industry compliance validation and enhanced risk mitigation for acquiring banks and merchant service providers. "SecureTrust PCI Manager helps our merchants achieve PCI compliance through a process that drives accuracy and is less time consuming, giving our merchants more time to focus on growing their business and enhancing the customer experience," stated Robyn Mitchell, chief compliance officer at North American Bancard.

Insurance Giant Munich Re Invests in Rogue Device Mitigation Firm Sepio Systems
2020-03-25 22:18

Rockville, Maryland-based startup Sepio Systems, a rogue device mitigation firm, has raised a further $4 million that supplements the Series A round of $6.5 million announced in November 2019. The current chairman of the board, Tamir Pardo, was formerly the director of Mossad, while another advisor is a former CISO with the CIA. The service provided by Sepio is to detect and mitigate any rogue device that has been attached to the corporate infrastructure.

Intel patches graphics drivers and offers new LVI flaw mitigations
2020-03-12 13:05

Intel's March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company's Graphics drivers. The star flaw of the month is CVE 29, the Load Value Injection weakness publicised this week by a diverse group of mainly academic security researchers.

Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance
2020-03-10 17:00

Chipzilla's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x. That's because LVI protection involves compiler and assembler updates that insert extra x86 instructions and replace problematic instructions with functionally equivalent but more verbose instruction sequences. "Being essentially a 'reverse Meltdown'-type attack, LVI abuses that a faulting or assisted load instruction executed within a victim domain does not always yield the expected result, but may instead transiently forward dummy values or data from various microarchitectural buffers."

You only LVI twice: Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling flaw will cost you 50%+ of performance
2020-03-10 17:00

Chipzilla's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x. That's because LVI protection involves compiler and assembler updates that insert extra x86 instructions and replace problematic instructions with functionally equivalent but more verbose instruction sequences. "Being essentially a 'reverse Meltdown'-type attack, LVI abuses that a faulting or assisted load instruction executed within a victim domain does not always yield the expected result, but may instead transiently forward dummy values or data from various microarchitectural buffers."

DDoS Mitigation Firm Founder Admits to DDoS
2020-01-20 23:13

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit
2020-01-16 23:13

Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. Within hours of the NSA going public with details about its prized bug find, exploit writers posted working code demonstrating how the flaw can be abused to trick unpatched Windows computers into accepting fake digital certificates - which are used to verify the legitimacy of software, and encrypt web connections.