Also, a few Windows worms you should know about, the end of the road for EV certs, and an embarrassing new Bluetooth attack.

Links:

• A detailed look at AMD’s new Epyc “Rome” 7nm server CPUs | Ars Technica — The short version of the story is, Epyc "Rome" is to the server what Ryzen 3000 was to the desktop—bringing significantly improved IPC, more cores, and better thermal efficiency than either its current-generation Intel equivalents or its first-generation Epyc predecessors.
• AMD Rome Second Generation EPYC Review: 2x 64-core Benchmarked — Ever since the Opteron days, AMD's market share has been rounded to zero percent, and with its first generation of EPYC processors using its new Zen microarchitecture, that number skipped up a small handful of points, but everyone has been waiting with bated breath for the second swing at the ball. AMD's Rome platform solves the concerns that first gen Naples had, plus this CPU family is designed to do many things: a new CPU microarchitecture on 7nm, offer up to 64 cores, offer 128 lanes of PCIe 4.0, offer 8 memory channels, and offer a unified memory architecture based on chiplets.
• AMD EPYC Rome Still Conquering Cascadelake Even Without Mitigations - Phoronix — Out of curiosity, I've run some unmitigated benchmarks for the various relevant CPU speculative execution vulnerabilities on both the Intel Xeon Platinum 8280 Cascadelake and AMD EPYC 7742 Rome processors for seeing how the performance differs.
• Intel’s line of notebook CPUs gets more confusing with 14nm Comet Lake | Ars Technica — Going by Intel's numbers, Comet Lake looks like a competent upgrade to its predecessor Whiskey Lake. The interesting question—and one largely left unanswered by Intel—is why the company has decided to launch a new line of 14nm notebook CPUs less than a month after launching Ice Lake, its first 10nm notebook CPUs.
• A look at the Windows 10 exploit Google Zero disclosed this week | Ars Technica — On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool, which uses and abuses Microsoft's Text Services Framework in ways that can effectively get anyone root—er, system that is—on any unpatched Windows 10 system they're able to log in to
• Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182) – Microsoft Security Response Center — Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.
• KNOB Attack — TL;DR: The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.
• Troy Hunt: Extended Validation Certificates are (Really, Really) Dead — With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.
• Google wants to reduce lifespan for HTTPS certificates to one year | ZDNet — Scott Helme argues that the security benefits of shorter SSL certificate lifespans have nothing to do with phishing or malware sites, but instead with the SSL certificate revocation process. Helme claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked.

Plus the benefits of passphrases, and what you can do to keep your local providers on the up and up.

Links:

• Plain wrong: Millions of utility customers’ passwords stored in plain text | Ars Technica — In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email—not reset!—lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox.
• The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords | — LinkedIn stated that after the initial 2012 breach, they added enhanced protection, most likely adding the “salt” functionality to their passwords. However, if you have not changed your password since 2012, you do not have the added protection of a salted password hash. You may be asking yourself–what on earth are hashing and salting and how does this all work?
• How Developers got Password Security so Wrong — As time has gone on; developers have continued to store passwords insecurely, and users have continued to set them weakly. Despite this, no viable alternative has been created for password security.
• Adding Salt to Hashing: A Better Way to Store Passwords — A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables.
• Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study — We were interested in exploring two particular aspects: Firstly, do developers get things wrong because they do not think about security and thus do not include security features (but could if they wanted to)? Or do they write insecure code because the complexity of the task is too great for them? Secondly, a common suggestion to increase security is to offer secure defaults.
• OWASP Password Storage Cheatsheet — This article provides guidance on properly storing passwords, secret question responses, and similar credential information.
• Secure Salted Password Hashing - How to do it Properly — If you're a web developer, you've probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. The best way to protect passwords is to employ salted password hashing. This page will explain why it's done the way it is.
• Plain Text Offenders — We’re tired of websites abusing our trust and storing our passwords in plain text, exposing us to danger. Here we put websites we believe to be practicing this to shame.
• Cybersecurity 101: Why you need to use a password manager | TechCrunch — Think of a password manager like a book of your passwords, locked by a master key that only you know.
• On the Security of Password Managers - Schneier on Security — There's new research on the security of password managers, specifically 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. That is, does the password manager accidentally leave plaintext copies of the password lying around memory?
• LinuxFest Northwest 2019 — It's the 20th anniversary of LinuxFest Northwest! Come join your favorite Jupiter Broadcasting hosts at the Pacific Northwest's premier Linux event.
• SCALE 17x — The 17th annual Southern California Linux Expo – will take place on March. 7-10, 2019, at the Pasadena Convention Center. SCaLE 17x expects to host 150 exhibitors this year, along with nearly 130 sessions, tutorials and special events.
• Jupiter Broadcasting Meetups — The best place to find out when Jupiter Broadcasting has a meetup near you! Also stay tuned for upcoming virtual study groups.