Ars Technica

Syndikovat obsah security – Ars Technica
Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Aktualizace: 22 min 39 sek zpět

New modification of the old cold boot attack leaves most systems vulnerable

13 Září, 2018 - 22:26

Enlarge (credit: rabiem22 / Flickr)

Cold boot attacks, used to extract sensitive data such as encryption keys and passwords from system memory, have been given new blood by researchers from F-Secure. First documented in 2008, cold boot attacks depend on the ability of RAM to remember values even across system reboots. In response, systems were modified to wipe their memory early during the boot process—but F-Secure found that, in many PCs, tampering with the firmware settings can force the memory wipe to be skipped, once again making the cold boot attacks possible.

The RAM in any commodity PC is more specifically called Dynamic RAM (DRAM). The "dynamic" here is in contrast to the other kind of RAM (used for caches in the processor), static RAM (SRAM). SRAM retains its stored values for as long as the chip is powered on; once the value is stored, it remains that way until a new value is stored or power is removed. It doesn't change, hence "static." Each bit of SRAM typically needs six or eight transistors; it's very fast, but the high transistor count makes it bulky, which is why it's only used for small caches.

DRAM, on the other hand, has a much smaller size per bit, using only a single transistor paired with a capacitor. These capacitors lose their stored charge over time; when they're depleted, the DRAM no longer retains the value it was supposed to remember. To handle this, the DRAM is refreshed multiple times per second to top up the capacitors and rewrite the values being stored. This rewriting is what makes DRAM "dynamic." It's not just the power that needs to be maintained for DRAM; the refreshes also need to occur.

Read 12 remaining paragraphs | Comments

Kategorie: Hacking & Security

Georgia says switching back to all-paper voting is logistically impossible

12 Září, 2018 - 10:30

Enlarge / A stack of voter access cards at a polling location during the Georgia primary runoff elections in Atlanta, Georgia, on Tuesday, July 24, 2018. (credit: Elijah Nouvelage/Bloomberg via Getty Images)

A group of activists in Georgia has gone to court with a simple request to election officials: in the name of election security, do away with electronic voting entirely and let the more than 6.1 million voters in the upcoming November 2018 election cast ballots entirely by paper. Georgia is just one of five American states that use purely digital voting without any paper record.

As part of this ongoing federal lawsuit, known as Curling v. Kemp, Georgia Secretary of State Brian Kemp's office says that such a change would be "reckless" with the election less than 60 days away. Plus, modifying the voting process would be too expensive, too unwieldy, and, in the end, not worth it.

"Plaintiffs raise only spectral fears that [Direct Recording Electronic machines] will be hacked and votes miscounted," John Salter, an attorney representing the state, wrote in a recent court filing.

Read 18 remaining paragraphs | Comments

Kategorie: Hacking & Security

Windows 10 support extended again: September releases now get 30 months

6 Září, 2018 - 17:55

Enlarge / Licensing is not really the easiest topic to illustrate. (credit: Peter Bright)

In its continued efforts to encourage corporate customers to make the switch to Windows 10, Microsoft is shaking up its support and life cycle plans again. Support for some Windows 10 releases is being extended, and the company is offering new services to help detect and address compatibility issues should they arise.

The new policy builds on and extends the commitments made in February this year. Microsoft has settled on two annual feature updates (the "Semi-Annual Channel," SAC) to Windows 10, one finalized in March (and delivered in April) and the other finalized in September (and delivered in October). Initially, the company promised 18 months of support for each feature update, a policy that would allow customers to defer deployment of feature updates or even skip some updates entirely. Going forward, the September releases are going to see even longer support periods; for Windows 10 Enterprise and Windows 10 Education, each September release will receive 30 months of servicing. In principle, an organization that stuck to the September releases could go two years between feature updates.

Customers of Windows 10 Home, Pro, and Pro for Workstations will continue to receive only 18 months of updates for both March and September releases.

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google wants to get rid of URLs but doesn’t know what to use instead

5 Září, 2018 - 16:04

Enlarge / This is how a Chrome 57 displays https://www.xn--80ak6aa92e.com/. Note the https://www.apple.com in the address bar.

Uniform Resource Locators (URLs), the online addresses that make up such an important part of the Web and browsers we use, are problematic things. Their complex structure is routinely exploited by bad actors who create phishing sites that superficially appear to be legitimate but are in fact malicious. Sometimes the tricks are as simple as creating a long domain name that's too wide to be shown in a mobile browser; other times, such as in the above picture, more nefarious techniques are used.

It's for this reason that a number of Chrome developers want to come up with something new. But what that new thing should be is harder to say.

Browsers are already taking a number of steps to try to tame URLs and make them less prone to malicious use. Chrome's use of "Not Secure" labels instead of showing the protocol name (http or https) replaces a piece of jargon with something that anyone can understand. Most browsers these days use color to highlight the actual domain name (printed in black type) from the rest of the URL (printed in grey type); Apple's Safari goes a step further, with its address bar suppressing the entire URL except for the domain name, revealing the full text only when the address box is clicked. Microsoft's Edge (and before it, Internet Explorer) dropped support for URLs with embedded usernames and passwords, because their legitimate uses were overwhelmed by malicious ones.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft obliquely acknowledges Windows 0-day bug published on Twitter

29 Srpen, 2018 - 18:18

Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

— SandboxEscaper (@SandboxEscaper) August 27, 2018

A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. The flaw allows anyone with the ability to run code on a system to elevate their privileges to "SYSTEM" level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system.

Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule." So, if the flaw is acknowledged (and it's certainly real!) then the company will most likely fix it in a regular update released on the second Tuesday of each month.

The tweet links to a GitHub repository that contains a write-up of the issue and demonstration code to exploit the flaw. The bug lies in the Task Scheduler service: it includes an improperly secured API that allows an attacker to overwrite most files on the system with contents of their choosing. By overwriting a file that's subsequently loaded into a privileged SYSTEM-level process, the attacker can run code of their choosing with SYSTEM privileges. The proof of concept overwrites a file used by Windows' printing subsystem—Windows will then run the attacker's code when an attempt is made to print.

Read 1 remaining paragraphs | Comments

Kategorie: Hacking & Security

The adventures of lab ED011—“Nobody would be able to duplicate what happened there”

27 Srpen, 2018 - 15:00

Enlarge / The University Politehnica building that hosts the Automatic Control and Computer Science (ACCS) program. (credit: Adi Dabu)

BUCHAREST, Romania—At the edge of Europe, Romania’s University Politehnica of Bucharest has long been the most prestigious engineering school in the region. Here, a terracotta-tiled building looms large over the campus, hosting the faculty of the Automatic Control and Computer Science (ACCS) program. On the ground floor, close to the entrance, is a humble computer lab. The label reads ED011.

Back in the early 1990s, after Romania escaped the grip of communism, this room was one of the few places offering an Internet connection free of charge. So every night, when no one was watching, students descended upon the lab to connect to the rest of the world. Eager to learn about life in Western Europe and the US, these students already had the look of their counterparts there—long hair, blue jeans, and Metallica shirts.

“Computers gave us the possibility to communicate with people around the world, which was extraordinary,” a former student named Lari tells me today. The ED011 computer lab did more than that, of course. It gave these students total freedom—to not only chat on the early Web but to explore all the odd nooks and crannies of computer science.

Read 61 remaining paragraphs | Comments

Kategorie: Hacking & Security