The computer and software security thread

Technology, computers, internet, websites, mobiles, cameras, audio and video.
SPONSORS: Hua Hin Web Design
Post Reply
Homer
Rock Star
Rock Star
Posts: 3336
Joined: Sun Mar 21, 2010 3:11 pm

Update for 64bit Intel chips intended to slow PCs and Macs

Post by Homer »

Security is the main reason. Slowing PCs will be a side effect. There is a security flaw in 64-bit Intel architecture. The kernel of Windows, MacOS, and Linux operating systems will be updated. One source said to expect between a 5% and 30% reduction in speed.

https://www.theregister.co.uk/2018/01/0 ... sign_flaw/
User avatar
buksida
Moderator
Moderator
Posts: 22475
Joined: Tue Dec 31, 2002 12:25 pm
Location: south of sanity

Re: The computer and software security thread

Post by buksida »

More on that ...

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

More: https://spectreattack.com/
Who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed? - Hunter S Thompson
User avatar
PeteC
Moderator
Moderator
Posts: 29922
Joined: Tue Mar 23, 2004 7:58 am
Location: All Blacks training camp

Re: The computer and software security thread

Post by PeteC »

I'm in luck I guess. I don't store any passwords, they're welcome to look at family and dog photos, emails consist of family banter and my daughter's school correspondence. Instant messages, see email. Retired so no business any longer. My computer would be quite a boring hack for anyone. :( :D Pete :cheers:
Governments are instituted among Men, deriving their just powers from the consent of the governed. Source
User avatar
Nereus
Hero
Hero
Posts: 10869
Joined: Tue Jan 02, 2007 3:01 pm
Location: Hua Hin and Bangkok

Re: The computer and software security thread

Post by Nereus »

Apple to issue fix for iPhones, Macs at risk from chip flaw

https://www.bangkokpost.com/tech/world- ... recent_box

Apple Inc will release a patch for the Safari web browser on its iPhones, iPads and Macs within days, it said on Thursday, after major chipmakers disclosed flaws that leave nearly every modern computing device vulnerable to hackers.

On Wednesday, Alphabet Inc's Google and other security researchers disclosed two major chip flaws, one called Meltdown affecting only Intel Corp chips and one called Spectre affecting nearly all computer chips made in the last decade. The news sparked a sell-off in Intel's stock as investors tried to gauge the costs to the chipmaker.
Related video: Security flaws put virtually all phones, computers at risk

In a statement on its website, Apple said all Mac and iOS devices are affected by both Meltdown and Spectre. But the most recent operating system updates for Mac computers, Apple TVs, iPhones and iPads protect users against the Meltdown attack and do not slow down the devices, it added, and Meltdown does not affect the Apple Watch.

Macs and iOS devices are vulnerable to Spectre attacks through code that can run in web browsers. Apple said it would issue a patch to its Safari web browser for those devices "in the coming days."

Shortly after the researchers disclosed the chip flaws on Wednesday, Google and Microsoft Corp released statements telling users which of their products were affected.
Google said its users of Android phones -- more than 80% of the global market -- were protected if they had the latest security updates.

Apple remained silent for more than a day about the fate of the hundreds of millions of users of its iPhones and iPads. Ben Johnson, co-founder and chief strategist for cyber security firm Carbon Black, said the delay in updating customers about whether Apple's devices are at risk could affect Apple's drive to get more business customers to adopt its hardware.

"Something this severe gets the attention of all the employees and executives at a company, and when they go asking the IT and security people about it and security doesn't have an answer for iPhones and iPads, it just doesn't give a whole lot of confidence," Johnson said.
May you be in heaven half an hour before the devil know`s you`re dead!
hhinner
Rock Star
Rock Star
Posts: 4291
Joined: Fri Nov 09, 2012 2:17 pm

Re: RE: Re: The computer and software security thread

Post by hhinner »

PeteC wrote:I'm in luck I guess. I don't store any passwords, they're welcome to look at family and dog photos, emails consist of family banter and my daughter's school correspondence. Instant messages, see email. Retired so no business any longer. My computer would be quite a boring hack for anyone. :( :D Pete :cheers:
Pete, it's not about stealing data from your hard drive. It's about stealing data from one program by another program by using a protected memory exploit while the first program is using the data and has it in memory. Of course your passwords are safe if you never use them. :)
Homer
Rock Star
Rock Star
Posts: 3336
Joined: Sun Mar 21, 2010 3:11 pm

Re: The computer and software security thread

Post by Homer »

Steve Gibson* released a free Windows app that tests the vulnerability of your hardware and windows version to Meltdown and Spectre. If either is vulnerable, the app offers the choice of modifying the registry to fix that - and slow down the machine. When Microsoft has a fix, it too will slow down your machine.

Its free. https://www.grc.com/inspectre.htm. Steve warns it was released yesterday, so check back for updates.

*Never heard of him? He's long been considered a wizard in both security and data recovery.
User avatar
Spitfire
Addict
Addict
Posts: 5248
Joined: Thu Apr 10, 2008 1:17 pm
Location: Thailand

Re: The computer and software security thread

Post by Spitfire »

There is no such thing as computer security, only thing you can do is lengthen the odds as to whether you will be compromised by the scumbags.
Resolve dissolves in alcohol
Homer
Rock Star
Rock Star
Posts: 3336
Joined: Sun Mar 21, 2010 3:11 pm

Re: The computer and software security thread

Post by Homer »

Spitfire wrote: Tue Jan 16, 2018 9:23 pm There is no such thing as computer security, only thing you can do is lengthen the odds as to whether you will be compromised by the scumbags.
Both Merriam and Webster disagree.
Definition of security
plural securities
1 : the quality or state of being secure: such as
a : freedom from danger : safety
b : freedom from fear or anxiety
c : freedom from the prospect of being laid off : job security
2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation
b : surety
3 : an instrument of investment in the form of a document (such as a stock certificate or bond) providing evidence of its ownership
4 a : something that secures : protection
b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape
(2) : an organization or department whose task is security

https://www.merriam-webster.com/dictionary/security
User avatar
404cameljockey
Ace
Ace
Posts: 1780
Joined: Sat Apr 30, 2016 5:14 am

Re: The computer and software security thread

Post by 404cameljockey »

Homer wrote: Tue Jan 16, 2018 9:04 pm Steve Gibson* released a free Windows app that tests the vulnerability of your hardware and windows version to Meltdown and Spectre. If either is vulnerable, the app offers the choice of modifying the registry to fix that - and slow down the machine. When Microsoft has a fix, it too will slow down your machine.

Its free. https://www.grc.com/inspectre.htm. Steve warns it was released yesterday, so check back for updates.

*Never heard of him? He's long been considered a wizard in both security and data recovery.
Thanks, Homer.
I ran InSpectre as admin, and it says my system is vulnerable on both counts, but the 'fix' buttons are greyed out. I think the reason may be that it's Win 10 just needing updating (my system seems not to be auto updating at the moment, I have too check that, 360 Total Security is supposed to patch my OS regularly. I'll try that first.

Also 360 Total Security initially identified InSpectre at malware, other AV software may do the same so people may need to de-quarantine and protect the executable after downloading.
Homer
Rock Star
Rock Star
Posts: 3336
Joined: Sun Mar 21, 2010 3:11 pm

Re: The computer and software security thread

Post by Homer »

404cameljockey wrote: Wed Jan 17, 2018 9:21 am Thanks, Homer.
...
Also 360 Total Security initially identified InSpectre at malware, other AV software may do the same so people may need to de-quarantine and protect the executable after downloading.
You're welcome.

Malware warning fixed in v2.0. From same URL as the download link:

BOGUS “SmartScreen” WARNING
Windows Defender “SmartScreen” appears to have decided that InSpectre is malware. This also happened briefly after the release of our Never10 utility. In this case, it is likely due to the fact that InSpectre's initial release was triggering anti-virus scanners due to the program's use of a registry key used to enable and disable the Meltdown and Spectre protections. This second release obscures its use of that (apparently worrisome) key and now appears to pass through most A/V without trouble. So this SmartScreen false alarm will hopefully disappear soon.

404cameljockey wrote: Wed Jan 17, 2018 9:21 am ...
I ran InSpectre as admin, and it says my system is vulnerable on both counts, but the 'fix' buttons are greyed out. I think the reason may be that it's Win 10 just needing updating (my system seems not to be auto updating at the moment, I have too check that, 360 Total Security is supposed to patch my OS regularly. I'll try that first.
...
InSpectreTop.jpg
InSpectreTop.jpg (77.9 KiB) Viewed 643 times
InSpectreBot.jpg
InSpectreBot.jpg (87.8 KiB) Viewed 643 times
User avatar
404cameljockey
Ace
Ace
Posts: 1780
Joined: Sat Apr 30, 2016 5:14 am

Re: The computer and software security thread

Post by 404cameljockey »

Yes that's what I see. Win 10 is now fully up to day and system restarted but the buttons are greyed out and have been every time I've run InSpectre, so still are inactive. Weird.

I'll check their website tomorrow.
Homer
Rock Star
Rock Star
Posts: 3336
Joined: Sun Mar 21, 2010 3:11 pm

Re: The computer and software security thread

Post by Homer »

404cameljockey wrote: Wed Jan 17, 2018 4:31 pm Yes that's what I see. Win 10 is now fully up to day and system restarted but the buttons are greyed out and have been every time I've run InSpectre, so still are inactive. Weird.

I'll check their website tomorrow.
Did you "run with elevated administrator privilege"? If so, how?

Do you understand the last sentence in the box I highlighted with a magenta border in the bottom screen shot?
User avatar
404cameljockey
Ace
Ace
Posts: 1780
Joined: Sat Apr 30, 2016 5:14 am

Re: The computer and software security thread

Post by 404cameljockey »

I right click the .exe and run the program as administrator. Is there something else I should be doing?

I don't understand 'if protection is not available to be changed'.

InSpectre says:

-My 64 bit Win 10 is unaware of either of the two problems. It's fully updated though.

-System hardware has not been updated to allow the OS to protect against the problems.

-My Intel i7 processor provides protection against Meltdown if the OS is properly updated which it is. But InSpectre says my system is still vulnerable to both problems.

-My registry is properly configured.

+++

I don't know what to do now. All the requirements seem to be met, certainly for Meltdown protection which InSpectre says doesn't require BIOS update.
Homer
Rock Star
Rock Star
Posts: 3336
Joined: Sun Mar 21, 2010 3:11 pm

Re: The computer and software security thread

Post by Homer »

Too many things to quote, so I'm going to do it old style, with right arrows showing what you wrote

>I right click the .exe and run the program as administrator. Is there something else I should be doing?
No.

>I don't understand 'if protection is not available to be changed'.
Awkward English. The program protects PCs by modify the registry. For some Windows installations such changes aren't possible, or don't have the intended effect.

>InSpectre says:
>-My 64 bit Win 10 is unaware of either of the two problems. It's fully updated though.
See below where I bolded quotes of Microsoft


>-System hardware has not been updated to allow the OS to protect against the problems.
Check with motherboard maker for a BIOS update. Look at 'List of OEM /Server device manufacturers' at https://support.microsoft.com/en-us/hel ... e-meltdown I expect you'll have to wait.

>-My Intel i7 processor provides protection against Meltdown if the OS is properly updated which it is. But InSpectre says my system is still vulnerable to both problems.
Microsoft says: "Customers who only install the January 2018 Windows operating system security updates from Microsoft will not be fully protected against the vulnerabilities. Antivirus software updates should be installed first. Operating system and firmware updates should follow." From above link.
+++

>I don't know what to do now.
If you've updated your antivirus, it's waiting time. Good news is no malware using either of the 2 vulnerabilities has been found.

>All the requirements seem to be met, certainly for Meltdown protection which InSpectre says doesn't require BIOS update.
Microsoft didn't say that the January updates will fix the problem. They said: "As of January 3, 2018, Microsoft released several updates to help mitigate these vulnerabilities and help protect customers. We have also deployed updates to secure our cloud services and Internet Explorer and Microsoft Edge browsers. We are continuing to work closely with industry partners including chip makers, device manufacturers, and app vendors." From above link
User avatar
404cameljockey
Ace
Ace
Posts: 1780
Joined: Sat Apr 30, 2016 5:14 am

Re: The computer and software security thread

Post by 404cameljockey »

Thanks for the in depth answer, Homer, all as clear as it can be.... ;)
Post Reply