They fall into several classes referred to as RyzenFall, MasterKey, Fallout, and Chimera. They are verified independently by other security researchers, but AMD has yet to officially verify them. They seem pretty bad though.
The public disclosure of the above mentioned AMD issues happened only 24 hours after AMD was made aware. The CEO of the company that disclosed them explains that he prefers it this way: let the public know there are issues, but keep the actual technical details for the vendor only until they can fix it.
One could say 'duh', but they've now officially said so. The new CPU's are redesigned to have "protective walls" between potentially malicious code and places where speculative execution is taking place.
This is a pretty significant boost to security. If an HTTP link is shared on Facebook they will automatically make it HTTPS if the target website supports it.
There are currently two large coinminer operations underway: one targeting old Redis servers and Windows servers vulnerable to EternalBlue, and one targeting older Solr versions.
Let's Encrypt continues to be awesome. You can now get a free certificate that covers all your subdomains (i.e. put HTTPS on 'domain.com', but also 'admin.domain.com' and 'help.domain.com'). Verification happens through DNS TXT records.
In short : blocking of app traffic that doesn't use HTTPS, restricting microphone and camera usage in the background, saving of backup encryption keys client-side and better consistency in fingerprint UI looks.
Update all the things \o/
Non-inclusive list of updates I came across:
- Microsoft's Patch Tuesday happened, fixing 75 vulnerabilities, 15 of which are rated critical: link
- Samba released a new version fixing two serious security issues: link
- Cisco fixed two critical issues in its Secure Access Control Systems (ACS) and Prime Collaboration Provisioning (PCP) software: link
- If you're somehow still using Flash, their new updates fixes a remote code execution issue: link
The API's to detect face proximity and ambient light will be removed. They weren't really useful for most people, yet could be (very creatively) used to determine things like browser history.
I don't know much about Windows security, but this article seems to list a great set of pointers on securing Windows workstations.
If you want to dig into how screwed you are if an attacker gets physical access to your USB ports, this is the post for you.
I found this interesting because I didn't realise this was a thing: only opening your SSH port after the visitor tries to connect to certain others ports in a certain order, like a combination lock. Not sure how practical this is to use, but fun to know about. The article explains how to make this happen with iptables.
Just a reminder that if you read Hackernews too, I started a newsletter that sends a daily digest based on upvotes.
Attackers only need to find and exploit one vulnerability in your web application to create havoc.
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.