Plus Firefox zero days targeting Coinbase, the latest update on Rowhammer, and a few more reasons it's a great time to be a ZFS user.

Links:

• SACK Panic Security Bulletin — Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
• Ubuntu SACK Panic Guidance — You should update your kernel to the versions specified below in the Updates section and reboot. Alternatively, Canonical Livepatch updates will be available to mitigate these two issues without the need to reboot.
• Red Hat SACK Panic Advisory — Red Hat customers running affected versions of these Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.   
• RFC 2018 - TCP Selective Acknowledgment Options — TCP may experience poor performance when multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can only learn about a single lost packet per round trip time. An aggressive sender could choose to retransmit packets early, but such retransmitted segments may have already been successfully received. A Selective Acknowledgment (SACK) mechanism, combined with a selective repeat retransmission policy, can help to overcome these limitations.
• Ping of Death — In a nutshell, it is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a remote machine.
• Firefox zero-day was used in attack against Coinbase employees, not its users | ZDNet — A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users.
• Mozilla fixes second Firefox zero-day exploited in the wild | ZDNet — Mozilla has released a second security update this week to patch a second zero-day that was being exploited in the wild to attack Coinbase employees and other cryptocurrency organizations.
• RAMBleed — RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key.
• Digging into the new features in OpenZFS post-Linux migration | Ars Technica — One of the most important new features in 0.8 is Native ZFS Encryption. Until now, ZFS users have relied on OS-provided encrypted filesystem layers either above or below ZFS. While this approach does work, it presented difficulties.
• Allan Jude on Twitter — Once the FreeBSDs are upstreamed, everything is changing to 'OpenZFS', including the github organization currently know as 'zfsonlinux'.
• ZFS on Linux Releases
• Linux Academy is hiring!
• Mozilla teases $5-per-month ad-free news subscription — Mozilla has started teasing an ad-free news subscription service, which, for $5 per month, would offer ad-free browsing, audio readouts, and cross-platform syncing of news articles from a number of websites.

Plus an update from the linux vendor firmware service, your feedback, and more!

Links:

• Joren Verspeurt on Twitter — The explanation you gave for unsupervised wasn't correct, that was just using a net that was trained in a supervised way. Unsupervised learning doesn't involve labels at all. A good example: clustering. You say "there are x clusters" and it learns a way of grouping similar items.
• Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers — The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems.
• Malicious updates for ASUS laptops — A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.
• Asus Live Update Patch Now Availabile — Asus has emitted a non-spyware-riddled version of Live Update for people to install on its notebooks, which includes extra security features to hopefully detect any future tampering.
• ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups — ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
• The Messy Truth About Infiltrating Computer Supply Chains — The Defense Intelligence Agency believed that China’s capability at exploiting the BIOS “reflects a qualitative leap forward in exploitation that is difficult to detect”
• Inside the Unnerving CCleaner Supply Chain Attack — Security researchers at Cisco Talos and Morphisec made a worst nightmare-type disclosure: the ubiquitous computer cleanup tool CCleaner had been compromised by hackers for more than a month. The software updates users were downloading from CCleaner owner Avast—a security company itself—had been tainted with a malware backdoor. The incident exposed millions of computers and reinforced the threat of so-called digital supply chain attacks, situations where trusted, widely distributed software is actually infected by malicious code.
• ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World — ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.
• Gaming industry still in the scope of attackers in Asia — Yet again, new supply-chain attacks recently caught the attention of ESET Researchers. This time, two games and one gaming platform application were compromised to include a backdoor.
• Microsoft Security Intelligence Report Volume 24 is now available — Software supply chain attacks are another trend that Microsoft has been tracking for several years. One supply chain tactic used by attackers is to incorporate a compromised component into a legitimate application or update package, which then is distributed to the users via the software. These attacks can be very difficult to detect because they take advantage of the trust that users have in their software vendors. The report includes several examples, including the Dofoil campaign, which illustrates how wide-reaching these types of attacks are and what we are doing to prevent and respond to them.
• Microsoft Security Intelligence Report Volume 24
• Supply Chain Attacks Spiked 78 Percent in 2018
• Supply Chain Security: A Talk by Bunnie Huang — I recently gave an invited talk about supply chain security at BlueHat IL 2019. I was a bit surprised at the level of interest it received, so I thought I’d share it here for people who might have missed it.
• Attack inception: Compromised supply chain within a supply chain poses new risk — The plot twist: The app vendor’s systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.
• Supply Chain Attacks and Secure Software Updates — In general, a supply chain attack involves first hacking a trusted third party who provides a product or service to your target, and then using your newly acquired, privileged position to compromise your intended target.
• Bad USB, Very Bad USB — The best defense for this type of attack is to only use devices that do not have reprogrammable firmware. Outside of this, it is important to only use USB drives that you trust completely, because after plugging in an untrusted device, you will never know if there is an invisible threat running on your computer.
• Reflections on Trusting Trust by Ken Thompson
• LVFS Project Announcement - The Linux Foundation — The Linux Foundation welcomes the Linux Vendor Firmware Service (LVFS) as a new project. LVFS is a secure website that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients, such as fwupdmgr, GNOME Software and KDE Discover.
• LVFS: Vendor Status
• Two new supply-chain attacks come to light in less than a week — Called “Colourama,” the package looked similar to Colorama, which is one of the top-20 most-downloaded legitimate modules in the Python repository. The doppelgänger Colourama package contained most of the legitimate functions of the legitimate module, with one significant difference: Colourama added code that, when run on Windows servers, installed a Visual Basic script.
• Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months

Plus a concise breakdown of Meltdown, Spectre, and side-channel attacks like only TechSNAP can.

Then we run through the timeline of events, and the scuttlebutt of so called coordinated disclosure. We also discuss yet another security issue in macOS High Sierra, a backdoor in popular storage appliances, your questions, and more!

Sponsored By:

• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

• Meltdown and Spectre — Meltdown and Spectre exploit critical vulnerabilities in modern processors.
• The Meltdown and Spectre CPU Bugs, Explained
• How we got to Spectre and Meltdown A Timeline My version of the timeline... — My version of the timeline on Spectre Meltdown. This post will be updated! If you want to add/correct something, please comment.
• How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown | TechCrunch — Eventually six cloud providers — Scaleway, DigitalOcean, Packet, Vultr, Linode and OVH — formed a consortium of sorts to help one another and share information. In order to make the process more efficient, they started a Slack channel with CEOs, CTOs and engineers from the various companies sharing information and fixes as they became available.
• FreeBSD was made aware of Meltdown and Spectre in late December. There's currently no ETA for mitigation. — It looks like Dragonfly BSD has a patch, so hopefully that will be useful for FreeBSD.
• heads up: Fix for intel hardware bug will lead to performance regressions — Upcoming versions of the linux kernel (and apparently also windows and others), will include new feature that apparently has been implemented with haste to work around an intel hardware bug.
• AWS Developer Forums: Degraded performance — Immediately following the reboot my server running on this instance started to suffer from cpu stress.
• Google is pushing Retpoline — With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.
• PCID is now a critical performance/security feature on x86 — On any system that does not currently show "pcid" in the flags line of /proc/cpuinfo, Meltdown is a bigger issue than "install latest updates".
• Spectre & Meltdown vulnerability/mitigation checker for Linux — A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
• Microsoft PowerShell Script to check for Meltdown — To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
• Why Raspberry Pi isn't vulnerable to Spectre or Meltdown — To help us understand why, here’s a little primer on some concepts in modern processor design.
• macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password — A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
• Major macOS High Sierra Bug Allows Full Admin Access Without Password
• WD My Cloud NAS devices have hard-wired backdoor — Lets anyone log in as user mydlinkBRionyg with the password abc12345cba.
• Question: How could I measure all of these overhead performance hits? — My question: how could I measure all of these overhead performance hits, so I can put in a well educated request to adjust all of these components, so I have a computer that performs near its capacity?
• Perfmon
• Troubleshooting with the Windows Sysinternals Tools
• ProcDump
• Process Monitor - Replaces filemon
• Question: MySQL Replication Woes — The problem is that during some larger deletes on the master, the tables on the slave get locked and the slave lag goes through the roof.. During this time all of my selects that have been sent to the slave are just sitting there and waiting for the table to unlock while the master is just fine.
• Ask Noah 44: Red Hat with Brandon Johnson
• BSD Now 228: The Spectre of Meltdown