ASRock released BIOS updates for its Intel 100 Series motherboard lineup that corrects a reported bug in Intel’s 6^th generation (Skylake) processors that causes the system to freeze or crash when executing complex workloads.

The error was discovered by users of Prime95, a popular CPU stress-testing application that pushes processors to their limits by executing complex prime number equations. It appears that the Intel Skylake architecture took a page from the early Pentium processor and did not behave as intended when stressed with these heavy workloads.

By the time Intel revealed the issues, the company already had a fix worked out and indicated board vendors would be releasing BIOS updates soon. ASRock is one of the first motherboard vendors to offer a fix for the dreaded Skylake bug.

ASRock’s new BIOS updates are available now at the company’s support webpage. Kill the bug with fire.

Source: tomshardware

http://www.tomshardware.com/news/asrock-releases-bios-updates-to-fix-intel-skylake-bug,31063.html

VB2015 paper: Digital ‘Bian Lian’ (face changing): the Skeleton Key malware

Microsoft, Dell SecureWorks researchers analyse malware targeting Active Directory servers.

A year ago, researchers from Dell SecureWorks discovered a new kind of malware, dubbed ‘Skeleton Key’, that was used in targeted attacks.

The malware, which was installed on the target’s domain controller, allowed the attacker to login as any user and thus perform any number of actions.

At VB2015, Microsoft researchers Chun Feng, Tal Be’ery and Michael Cherny, and Dell SecureWorks‘ Stewart McIntyre presented the paper “Digital ‘Bian Lian’ (face changing): the skeleton key malware”. Today, we publish their paper as well as the video of their presentation.

You can read the paper here in HTML-format, or download it here as a PDF, and find the video on our YouTubechannel, or embedded below.

Are you interested in presenting your research at the upcoming Virus Bulletin conference (VB2016), in Denver 5-7 October 2016? The call for papers is now open.

Posted on 19 January 2016 by Martijn Grooten

https://www.virusbtn.com/blog/2016/01_21.xml

According to findings from Tariff Consultancy, the average cloud computing price for enterprises has dropped by two-thirds since 2014. Tariff found that an average entry-level cloud computing instance is currently valued at 12 cents per hour for Windows users, with cloud services now employed by enterprises across a range of crucial applications.

The cost of the public cloud appears to have stabilized. Amazon Web Services, Google, and Microsoft offer comparable entry-level compute-instance pricing, as do other providers.

Despite such low prices, I still hear complaints from IT about the cost of cloud.

The actual cost of the cloud is not for the services themselves. That’s a small part. The real money goes to the people, tools, time, and risk mitigation. IT shops that look at only the cost of AWS versus Microsoft are missing a huge part of the equation. And they’re the ones that get sticker shock when they see the entire cost of cloud-based migrations, including new development and operations, that have little to do with the cost of compute instances.

I advise that you consider the cost holistically. That means working up a well-thought-out TCO (total cost of ownership) model that considers all aspects of the cost of moving to the cloud, such as people, migration, security, operations, and testing. You need to then balance that cost with the value of agility and time to market, which are typically huge for most enterprises.

That analysis usually shows that moving to the cloud is more cost-effective than leaving the applications and data where they are, in your data center. But using the cloud is not as cheap as it may seem from those compute prices.

Source: InfoWorld

http://www.infoworld.com/article/3023039/cloud-computing/the-cloud-is-a-bargain-but-its-not-cheap.html

Intel announced that its 6th Gen (Skylake) Core vPro processors are now available for purchase. With Skylake, Intel opted to introduce a new security technology called Intel Authenticate to increase the amount of protection provided by vPro processors.

The Intel Authenticate software is still in development, but users are now able able to preview and test the software themselves. The software uses multiple authentication factors in order to determine who is accessing the system and ensure it is the correct person. The system supports up to three hardened factors that can consist of an item you have such as a smartphone or ring, a physical feature such as a retinal scan or fingerprint, or something you need to remember such as a password.

If the software is configured to use three identification factors, then just entering your password or scanning your fingerprint won’t be enough to grant you access to the system. This software uses the vPro hardware in order to enhance the accuracy of these authentication factors, and it is not supported on non-vPro processors. Intel Authenticate is compatible with Windows 7, 8, 8.1 and 10.

Systems using the Skylake vPro processors are now available from several OEMs including Acer, Asus, Dell, Fujitsu, HP, Lenovo, Panasonic and Toshiba.

Source: Tomshardware

http://www.tomshardware.com/news/intel-skylake-vpro-intel-authenticate,31032.html

When it comes to online banking, sub-optimal encryption isn’t our biggest concern

Posted on 06 January 2016 by Martijn Grooten

https://www.virusbtn.com/blog/2016/01_06.xml

Malware authors and scammers won’t attack the crypto.

Under the headline “no zero-day necessary”, Xiphos has published a rather scary blog post on the state of SSL security within the UK’s finance industry. It concludes that more than 50% of UK-owned retail banks have weak SSL implementations on their online banking sites, with 14% of them getting the lowest grade on Qualys‘sSSLLabs service.

This isn’t good. Banking is largely based on trust, and getting IT security right should play an important role in being trusted. But we should be careful not to confuse sub-optimal security with a likelihood of this leading to actual attacks.

Of the vulnerabilities Xiphos mentions, CRIME and POODLE are the most serious. They make it easy for an attacker with a man-in-the-middle position to steal secure session cookies, thus allowing them to hijack a browsing session. This simply should not be possible on a site where people manage their finances.

However, cybercriminals rarely use man-in-the-middle attacks. For them, the fact that they often don’t scale well and can’t be performed remotely, makes such attacks rather uninteresting. Moreover, most banks mitigate session-hijacking attacks by requiring the user to authenticate transactions through a second channel. Hence it isn’t surprising that there have been no known instances of CRIME or POODLE having been used in the wild.

The other weaknesses mentioned, such as the support for RC4, the lack of support for TLS 1.2 and the use of SHA-1 certificates, can only be abused in a purely theoretical setting (in the case of RC4), or not at all.

Interestingly, the blog post doesn’t mention the fact that many banks — including the four main UK retail banks — don’t use HTTPS by default on their main site. Given that this is how many users browse to their online banking service, an attacker with a man-in-the-middle position, or malware running on the user’s system, could trivially modify the link to a site they control. After all, no encryption is infinitely worse than sub-optimal encryption.

Still, this isn’t the thing users should be most concerned about. It would be far better if they concerned themselves with becoming more aware of the various ways in which malware and scams try to steal their money — none of which attack the encryption protocols the bank uses.

It is good to hold banks accountable when it comes to security on their websites. But we have to be realistic about where the actual risks are. They are not in the crypto.

In March, I will give a talk, “How Broken Is Our Crypto Really?“, on this subject at the RSA Conference in San Francisco.

Ask almost any exhausted parent, and he or she will agree that kid-centric video apps are a pretty useful invention. YouTube Kids is an app for iOS and Android that targets the preschool set with a wide selection of free clips of cartoons, educational programs and other generally anodyne content. But it may not be as innocent as it seems, thanks to advertisements that blur the line between content and hawking products.

The Georgetown Law Institute for Public Representation, along with eight children’s advocacy groups, penned a document to the FTC entitled “Request for Investigation into Google’s Unfair and Deceptive Practices in Connection with its YouTube Kids App,” and asking the commission to investigate. The 60-page document alleges that the app mixes actual content and commercials in a way that children cannot meaningfully distinguish, and that such behavior would never fly on broadcast or cable TV.

Google advertises YouTube Kids as an app “designed for curious little minds to dive into a world of discovery, learning and entertainment.” While its content matches its mission statement, Georgetown Law argues that some of the content blurs the line between entertainment and commercial.

For example, many of the videos available on the service are user-created toy and candy “unboxing” videos, which highlight excited consumers getting their hands on a new product for the first time. These reviewers often receive products directly from the companies they review, and do not disclose this information in a way that very young children can understand.

While these videos are not advertisements in the strictest sense, they would probably violate FCC television standards that disallow children’s show hosts from hawking particular products. (Young children, generally speaking, have more trouble differentiating ads from entertainment than their older siblings and parents.)

Branded channels also present something of a challenge. The Lego channel, for example, provides cartoons and webisodes about Lego characters, but also hosts full TV commercials for Lego products. Other companies, like McDonald’s, host a mix of narrative content and straight-up ads as well.

Despite speaking out against commercial content, Georgetown Law takes little issue with the actual ads that YouTube Kids shows in-between videos. They tend to be public service announcements for organizations like the U.S. Forestry Service or Adopt U.S. Kids, which, as advertisements go, are fairly inoffensive — arguably even wholesome.

Source: tomshardware

http://www.tomsguide.com/us/youtube-kids-confuses-audiences,news-20746.html

Let’s Encrypt certificate used in malversiting

We’d better get used to a world where malicious traffic is encrypted too.

According to some people, myself included, Let’s Encrypt was one of the best things that happened to the Internet in 2015. Now that, as of December, the service is in public beta, anyone can register certificates for domains they own, in a process that is both easy and free.

Cybercriminals have noticed this too, and rather unsurprisingly, Trend Micro reports that a certificate issued byLet’s Encrypt was used in an Angler exploit kit-powered malvertising campaign, to make the malicious advertisements harder to detect.

What makes this case particularly interesting is the fact that the domain for which the certificate was issued was the subdomain of a legitimate site, whose DNS was compromised. As domain-based reputation isn’t usually granular enough to distinguish between subdomains, this could have helped them avoid detection even further.

Let’s Encrypt only issues Domain Validation certificates, which don’t do more than validate the domain; hence it doesn’t believe it needs to police the content of the domains for which it issues certificates, although as a possibly temporary compromise, the domains are checked against Google‘s Safe Browsing API before a certificate is issued.

I agree with Let’s Encrypt here. I think our goal should be to encrypt all Internet traffic, and if bad traffic gets encrypted too, then that is a feature of the system, not a bug. Given how easy it is to register certificates, more policing would simply lead to a cat-and-mouse game. And there is also the danger of a slippery slope, where governments and interest groups start to pressure Let’s Encrypt to revoke the certificates of sites they perceive as bad.

We’ll just have to accept that more and more traffic is encrypted and find ways to block malicious activity in an environment where all traffic is encrypted.

Of course, this particular case is a little different: the exploit kit users in this case didn’t “own” the subdomain; they were merely able to point it to their own server. It might be worth Let’s Encrypt considering an automatic way in which domain owners can revoke certificates issued to subdomains. But that may well complicate the whole process and make little impact in practice. After all, for a successful malware campaign, domains only need to be active for a very short period of time.

If you’ve been telling people that the mere presence of a ‘lock icon’ in the address bar is a sign that a site is harmless, now is really the time to stop doing that.

https://www.virusbtn.com/blog/2016/01_08.xml

Posted on 08 January 2016 by Martijn Grooten.

It isn’t often that Microsoft is the company to watch for the new year. But it will be in 2016.

CEO Satya Nadella and his team have shaken things up, surprising customers with better products, a continuing move to the cloud, an embrace of open source, and a willingness to stand up for user privacy in the face of government pressure.

We even have to acknowledge a success that was born in the bad old days of Steve Ballmer: Microsoft’s largely successful do-over on Windows 10. Being rooted in the PC era is problematic, to say the least, but the Surface Book is (surprise) an exciting product that shows that the company is taking an old-school product as far as it can go. It’s even matched — or maybe outdone — Apple with the newest Surface Pro tablet.

There are still major challenges, and if any one area is liable to trip up the Redmonders it’s mobile. The ill-conceived purchase of Nokia cost billions, and even worse is the failure to develop a coherent mobile strategy years after it became a necessity.

But the balance sheet is now definitely tilted in Microsoft’s favor, which couldn’t be said a few years ago. Wall Street makes a lot of bad calls when it comes to technology companies, but it’s revealing that Microsoft’s price-to-earnings ratio, a measure of future expectations, is higher than Apple’s.

Beating the PC makers at their own game

Flawless execution is something few companies achieve, and Microsoft is no exception. Both Windows 10 and the Surface Book have problems that can’t be ignored. But unlike Windows Vista or Windows 8, Windows 10’s problems are fixable, and so are the issues plaguing the Surface Book.

Microsoft entered the hardware space a few years ago when it became clear that none of the PC makers were likely to produce a decent Windows tablet. The original Surface, particularly the weird and nearly useless Surface RT version, wasn’t successful — in fact, it cost the company a $900 million writedown.

Contrast that kludge with the new Surface Pro 4. It’s expensive, but it’s powered by Intel’s new Skylake processor, and Microsoft has reworked the heat distribution system to allow those chips to run at full speed so that they can tear through demanding applications.

Similarly, Microsoft entered the PC space because the PC makers were boring the buying public to death with unimaginative hardware larded with annoying, and sometimes contaminated, bloatware. You can read the reviews yourself, but suffice it to say that the Surface Book is, to quote my colleague Woody Leonhard, “one sexy piece of hardware.” When was the last time you heard someone who is often critical of Microsoft say something like that?

Microsoft won’t bank tons of money selling such an expensive machine, but clearly the company aims to push the PC makers into making better products, an essential step in keeping the Windows franchise afloat. It also wants to push the PC makers into dialing way back on bloatware, which is why the Microsoft Store sells bloatware-free Signature Editions of PCs made by other companies.

From open source to augmented reality

You don’t have to go back many years to find evidence of Microsoft’s arrogant rejection of the open source community. That’s been changing for some time, and as the company struggles to keep developers on its side, open source has become even more important.

There was a key development on that front last month when Microsoft announced plans to open-source its Chakra JavaScript engine. It shows, as my colleague Serdar Yegulalp wrote, “that Microsoft wants to become a player in the JavaScript ecosystem that has ambitions to be a near-universal runtime for every kind of software.”

There isn’t a huge amount of money here, but the Chakra strategy is indicative of a new openness and willingness to work in environments where Microsoft is not in a position to dominate the playing field.

Then there’s HoloLens. Sure, it’s been delayed a few times, but I’m excited to see Microsoft garner buzz — it practically eclipsed Windows at Microsoft’s January 2015 public preview. More important, it shows a willingness to go beyond the corporate comfort zone.

Writing at Ars Technica, Peter Bright put it this way: “With HoloLens I saw virtual objects — Minecraft castles, Skype windows, even the surface of Mars — presented over, and spatially integrated with, the real world.”

Augmented reality has the potential to be more than a cool toy. Companies like Epson have already developed and sold units that help field technicians fix complex devices and warehouse workers pick products from shelves. This field is crowded, and it will take some doing for Microsoft to succeed, but its willingness to risk it speaks volumes.

I don’t mean to minimize Microsoft’s weakness or defend boorish behavior like its annoying campaign to push users to download Windows 10. But having watched Microsoft decline as a relevant tech power over the years, I see a lot of reasons to expect a continued resurgence. Watch it carefully in 2016.

Source: InfoWorld

http://www.infoworld.com/article/3019721/microsoft-windows/microsoft-is-the-company-to-watch-in-2016.html

We know of several new SSD controllers slated for release in 2016, but the Phison PS5007-E7 is one of the most interesting. We first spotted the E7 at Computex, and it was already working well enough to run some performance tests. Phison has been fine-tuning the controller for 2D (1x, 1y, 1z) and next generation 3D NAND flash over the last several months.

This isn’t the first time we’ve spotted a working sample, but as you can see, the Zotac R&D model looks production-ready. This version pairs the Phison PS5007-E7 controller with Toshiba’s 15nm multi-level cell flash. The claimed performance is up to 2500 MB/s sequential read and 1,200 MB/s sequential write.

Zotac told us that this is the first and only model for a product that has yet to receive an official name. The drive just arrived from Hong Kong this morning, so it is a prototype. Upon arrival to Las Vegas, Zotac installed Windows and a few game demos on the drive. The game demos are running from the drive in the suite. This is the first time a public demo on an E7 ran with a real-world workload.

This is also the first time we’ve seen the E7 in a non-M.2 design outside of Phison’s office. All of the other E7 proposed products took the shape of M.2 2280 and 22110 form factors. The Zotac drive is a true AIC (add-in card) like the Intel SSD 750. AIC cards allow the drive to use more PCB surface area to increase NAND flash parallelization and consume more power. This leads to higher performance for end users.

Zotac’s primary business is gaming products. The company started out selling video cards exclusively, but it has expanded to other products like small form factor PCs and now solid-state drives. The future PCIe-based SSD takes on a gamer feel with large branding.

Zotac stated that the new drive could be ready as early as next month, but that contradicts what Phison has stated over the last few days. We don’t expect to see a retail E7-based product until Computex in June or Flash Memory Summit in August.

Source: toms hardware

http://www.tomshardware.com/news/zotac-phison-e7-ssd,30903.html

A Short History of Computer Viruses