Security News

Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data CPU cache. The patch from AWS engineer Balbir Singh was to provide "An opt-in mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data CPU cache. The patch from AWS engineer Balbir Singh was to provide "An opt-in mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

Alliant Insurance Services announced the launch of a new cybersecurity risk mitigation and transfer solution offering, PortCo Protect. "Uniting ACA's proprietary assessment risk index with our risk modeling and analytics services was a win-win," said Sandy Crystal, Executive Vice President, Alliant Specialty.

SecureTrust, a division of Trustwave, announced SecureTrust PCI Manager, a cloud-based platform delivering Payment Card Industry compliance validation and enhanced risk mitigation for acquiring banks and merchant service providers. "SecureTrust PCI Manager helps our merchants achieve PCI compliance through a process that drives accuracy and is less time consuming, giving our merchants more time to focus on growing their business and enhancing the customer experience," stated Robyn Mitchell, chief compliance officer at North American Bancard.

Rockville, Maryland-based startup Sepio Systems, a rogue device mitigation firm, has raised a further $4 million that supplements the Series A round of $6.5 million announced in November 2019. The current chairman of the board, Tamir Pardo, was formerly the director of Mossad, while another advisor is a former CISO with the CIA. The service provided by Sepio is to detect and mitigate any rogue device that has been attached to the corporate infrastructure.

Intel's March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company's Graphics drivers. The star flaw of the month is CVE 29, the Load Value Injection weakness publicised this week by a diverse group of mainly academic security researchers.

Chipzilla's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x. That's because LVI protection involves compiler and assembler updates that insert extra x86 instructions and replace problematic instructions with functionally equivalent but more verbose instruction sequences. "Being essentially a 'reverse Meltdown'-type attack, LVI abuses that a faulting or assisted load instruction executed within a victim domain does not always yield the expected result, but may instead transiently forward dummy values or data from various microarchitectural buffers."

Chipzilla's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x. That's because LVI protection involves compiler and assembler updates that insert extra x86 instructions and replace problematic instructions with functionally equivalent but more verbose instruction sequences. "Being essentially a 'reverse Meltdown'-type attack, LVI abuses that a faulting or assisted load instruction executed within a victim domain does not always yield the expected result, but may instead transiently forward dummy values or data from various microarchitectural buffers."

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. Within hours of the NSA going public with details about its prized bug find, exploit writers posted working code demonstrating how the flaw can be abused to trick unpatched Windows computers into accepting fake digital certificates - which are used to verify the legitimacy of software, and encrypt web connections.