So this week, there’s been a fair amount of news about Meltdown & Spectre exploits, which affects all major processor vendors one way or another, but especially Intel, and whose mitigations require operating systems and in some case microcode updates that decrease performance for some specific tasks. Microsoft has now pushed an update for Windows 10, and since I’m reviewing MINIX NEO N42C-4 mini PC powered by an Intel Pentium N4200 “Apollo Lake” processor, and just happened to run benchmarks before the update, so I decided to run some of the benchmarks again to see if there was any significant difference before and after the security update. First I had to verify I had indeed received the update in the “installed update history”, and Windows 10 Pro was updated on January 5th with KB4056892, which is what we want, so let’s go ahead. Benchmarks before Update PCMark 10 is one […]
Intel Hardware Security Bug Fix to Hit Performance on Windows, Linux…
Many security bugs can be fixed without performance penalty , but according to reports Intel processors have a hardware bug – whose details have not been disclosed yet (embargo) – that seems to affect all operating systems including Windows, Linux, Mac OS, etc…, and the fix may lead to significant performance hits for some tasks. We know a bit more thanks to the Kernel Page Table Isolation (KPTI) patch for Linux that enables the fix/workaround with X86_BUG_CPU_INSECURE feature. The fix used to be called KAISER, and there’s an explanation on LWN about “hiding the kernel from user space” about the issue: On contemporary 64-bit systems, the shared address space does not constrain the amount of virtual memory that can be addressed as it used to, but there is another problem that is related to security. An important technique for hardening the system is kernel address-space layout randomization (KASLR), which randomizes […]
Help Testing TLS 1.3 Compatibility for a More Efficient & Secure Internet
Transport Layer Security (TLS) is the protocol that allows for secure websites (via https), and currently, TLS 1.2 is the version most commonly used today, with 1.0 and 1.1 still supported by many servers for backward compatibility with older browsers, including the one running this blog. TLS 1.3 is the next version, already supported in libraries and server software such as wolfSSL or nginx, and promises to be more efficient – important for battery operated devices (IoT) – thanks to features like zero-RTT (0-RTT) mode, speedy with a restructured handshake state machine, and more secure. However, changes in security protocol may mess up connection with some browsers or middleboxes, as I experience when I enabled https on CNX Software using Let’s Encrypt with nginx and Cloudflare, with around 0.5% of users losing access due to using older web browsers and operating systems such as Internet Explorer on Windows XP. According […]
Haven Open Source App Transforms Your Old Android Smartphone into a Smart Security Camera
About two years ago, I wrote a post asking what to do with old devices instead of throwing them away. My own proposals included giving them away, reselling them on eBay, recycling them for other purpose like servers or download clients, or scavenging some parts. Other people also comments what they did with theirs, for example setting up a Linux cluster with old TV boxes. Another way to recycling an old (Android) smartphone – albeit you could always buy an inexpensive one – is to install and run Haven, an open source app that transforms your phone into some sort of smart security camera, but instead of only using the camera from the phone, the app also logs audio events using its microphone (array), as well as data reported by sensors. One of you first reaction might be: “cool! somebody may an app that would allow hackers or government to […]
Fingbox Helps You Monitor & Manage Devices on Your Network with Your iOS/Android Smartphone
Fing network scanner mobile app available for iOS and Android that allows you to discover which devices are connected to your Wi-Fi network, map devices, detect intruders, assess network security risks, troubleshoot network problems, and optimize wireless network performance. But in order to go beyond network monitoring, the developers have designed Ubuntu Core based Fingbox hardware to add features such as access control (e.g. parental control), analyze the usage of bandwidth for each clients, find Wi-Fi sweet spots/ avoid black spots, verify your Internet speed, monitor devices in your network, and protects it with a digital fence that works against threats. From a hardware perspective Fingbox is a round shaped Ethernet node with the following specifications: Processor – ARMv7 processor System Memory – 1GB RAM Connectivity – Gigabit Ethernet The Linux (Ubuntu Core) device just needs to be connected to your network via an Ethernet cable, and powered by its […]
MINIX based Intel Management Engine Firmware & UEFI are Closed Source & Insecure, NERF to the Rescue!
You may have heard a few things about Intel Management Engine in recent months, especially as security issues have been found, the firmware is not easily upgradeable, and the EFF deemed it a security hazard asking Intel for ways to disable it. In recent days, I’ve seen several media reports about the Management Engine being based on an Intel Quark x86-based 32-bit CPU running MINIX open-source operating system. Keep in mind, there’s nothing nefarious about MINIX, it’s just that Intel keeps its own developments on top closed. One of sources for the information is a blog post explaining how to disable Intel ME 11, but ZDNET also points to one of the talks at the Embedded Linux Conference Europe 2017 entitled “Replace Your Exploit-Ridden Firmware with Linux” by Ronald Minnich, Google which explains the problem, and proposes a solution to (almost) disable Intel’s ME, and replace UEFI by a small […]
Arm’s Platform Security Architecture Aims to Secure the Internet of Things (IoT)
News are published nearly everyday about a security breach or flaw in IoT devices, and last year, Softbank CEO, and new Arm owner, Masayoshi Son explained that to reach his goal of one trillion IoT devices and singularity, security had to be addressed, as everything was currently too easily hackable, including cars equipped with lots of electronics but very weak security. As Arm Techcon 2017 is underway, the company has been working on improving IoT security and announced the Platform Security Architecture (PSA) designed for low cost IoT devices. PSA has three major components: Threat Models and Security Analyses derived from a range of typical IoT use cases. Architecture specifications for firmware and hardware. An open source project, similar to Arm Trusted Firmware for mobile clients. PSA is designed for low cost IoT devices, which would have not the resources (processing power, memory, battery power…) to run a full Trusted […]
Samsung IoT Security News – ARTIK Secure IoT Modules, SmartThings Cloud, and Secure Element
Samsung has made several announcements with IoT, especially IoT security. First, Samsung ARTIK 053, ARTIK 530 and ARTIK 710 modules are getting an “s” version, which stands for “robust security”, as well as a new ARTIK 055s module, and all ARTIK modules can now work with SmartThings Cloud uniting the company’s existing services – ARTIK Cloud and Samsung Connect Cloud – into a single IoT platform. Separately, the company announced their Secure Element solution which combines eFlash memory and new security software. Samsung ARTIK “s” modules & ARTIK 055s The company explains in their blog that ARTIK 053s, 530s, 710s, and the all new 055s will feature “advanced protection, integrated cloud services, and hosted security services with “enhanced ARTIK end-to-end security by providing greater protection for IoT data as well as prevention against hacking”. The press release is a little more specific: ARTIK secure IoT modules provide a strong root […]