THE CISCO 1001-X series router doesn't look much like the one you have in your home. It's bigger and much more expensive, responsible for reliable connectivity at stock exchanges, corporate offices, your local mall, and so on. The devices play a pivotal role at institutions, in other words, including some that deal with hypersensitive information. Now, researchers are disclosing a remote attack that would potentially allow a hacker to take over any 1001-X router and compromise all the data and commands that flow through it.

And it only gets worse from there.

To compromise the routers, researchers from the security firm Red Balloon exploited two vulnerabilities. The first is a bug in Cisco’s IOS operating system—not to be confused with Apple's iOS—which would allow a hacker to remotely obtain root access to the devices. This is a bad vulnerability, but not unusual, especially for routers. It can also be fixed relatively easily through a software patch.

"It’s not a trust buoy."

The second vulnerability, though, is much more sinister. Once the researchers gain root access, they can bypass the router's most fundamental security protection. Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the company’s enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world. That includes everything from enterprise routers to network switches to firewalls.

In practice, this means an attacker could use these techniques to fully compromise the networks these devices are on. Given Cisco's ubiquity, the potential fallout would be enormous.

“We’ve shown that we can quietly and persistently disable the Trust Anchor,” says Ang Cui, the founder and CEO of Red Balloon, who has a history of revealing major Cisco vulnerabilities. “That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything.”

Dropping Anchor

In recent years, security-minded companies have increasingly added "secure enclaves" to motherboards. Different solutions go by different names: Intel has SGX, Arm has the TrustZone, Apple has the secure enclave. And Cisco has the Trust Anchor.

They variously comprise either a secure part of a computer’s regular memory, or a discrete chip—a safe, secluded oasis away from the bedlam of the computer’s main processor. No user or administrator can modify the secure enclave, no matter how much control they have over the system. Because of its immutable nature, the secure enclave can watch over and verify the integrity of everything else.

Secure-computing engineers generally view these schemes as sound in theory and productive to deploy. But in practice, it can be dangerous to rely on a sole element to act as the check on the whole system. Undermining that safeguard—which has proven possible in many companies’ implementations—strips a device of critical protections. Worse still, manipulating the enclave can make it appear that everything is fine, even when it's very much not.

That's the case with the Cisco 1001-X. The Red Balloon team showed specifically that they could compromise the device's secure boot process, a function implemented by the Trust Anchor that protects the fundamental code coordinating hardware and software as a device turns on, and checks that it's genuine and unmodified. It's a crucial way to ensure that an attacker hasn’t gained total control of a device.

On Monday, Cisco is announcing a patch for the IOS remote-control vulnerability the Red Balloon researchers discovered. And the company says it will also provide fixes for all product families that are potentially vulnerable to secure-enclave attacks like the one the researchers demonstrated. Cisco declined to characterize the nature or timing of these fixes ahead of the public disclosure. It also disputed that the secure boot vulnerability directly impacts the Trust Anchor. According to its security bulletin, all fixes are still months away from release, and there are currently no workarounds. When the patches do arrive, Cisco says, they will "require an on-premise reprogramming," meaning the fixes can't be pushed remotely, because they are so fundamental.

“As a point of clarification, Cisco advertises several related and complementary platform security capabilities,” a spokesperson told WIRED in a written statement. “One of which that is relevant to this discussion is Cisco Secure Boot which provides a root of trust for system software integrity and authenticity. Another capability offered within certain Cisco platforms is the Trust Anchor module, which helps provide hardware authenticity, platform identity, and other security services to the system. The Trust Anchor module is not directly involved in the work demonstrated by Red Balloon.”

Cisco seems to make a distinction between its "Trust Anchor Technologies," "Trustworthy Systems," and "Trust Anchor module," that may explain why it only considers secure boot to be implicated in the research.

The Red Balloon researchers disagree, though. They note that Cisco’s patent and other documentation show that the Trust Anchor implements secure boot. If secure boot is undermined, the Trust Anchor is necessarily also defeated, because all of the tools are in a chain of trust together. You can see it visualized in this Cisco diagram.

“That’s why they call it an anchor! It’s not a trust buoy,” Cui says.


The researcher group, which also includes Jatin Kataria, Red Balloon’s principal scientist, and Rick Housley, an independent security researcher, were able to bypass Cisco’s secure boot protections by manipulating a hardware component at the core of the Trust Anchor called a “field programmable gate array.” Computer engineers often refer to FPGAs as “magic,” because they can act like microcontrollers—the processors often used in embedded devices‚ but can also be reprogrammed in the field. That means unlike traditional processors, which can't be physically altered by a manufacturer once they're out in the world, an FPGA's circuits can be changed after deployment.

FPGAs pull their programming from a file called the bitstream, which is usually custom-written by hardware makers like Cisco. To keep FPGAs from being reprogrammed by mischievous passersby, FPGA bitstreams are extremely difficult to interpret from the outside. They contain a series of complex configuration commands that physically dictate whether logic gates in a circuit will be open or closed, and security researchers evaluating FPGAs have found that the computational power required to map an FPGA’s bitstream logic is prohibitively high.

"This is proof that you can’t just rely on the FPGA to do magic for you."

But the Red Balloon researchers found that the way the FPGA was implemented for Cisco’s Trust Anchor, they didn’t need to map the whole bitstream. They discovered that when Cisco’s secure boot detected a breach of trust in a system, it would wait 100 seconds—a pause programmed by Cisco engineers, perhaps to buy enough time to deploy a repair update in case of a malfunction—and then physically kill the power on the device. The researchers realized that by modifying the part of the bitstream that controlled this kill switch, they could override it. The device would then boot normally, even though secure boot accurately detected a breach.

“That was the big insight,” Red Balloon’s Kataria says. “The Trust Anchor has to tell the world that something bad has happened through a physical pin of some sort. So we started reverse engineering where each pin appeared in the physical layout of the board. We would disable all the pins in one area and try to boot up the router; if it was still working, we knew that all of those pins were not the one. Eventually we found the reset pin and worked backward to just that part of the bitstream.”

The researchers did this trial-and-error work on the motherboards of six 1001-X series routers. They cost up to about $10,000 each, making the investigation almost prohibitively expensive to carry out. They also broke two of their routers during the process of physically manipulating and soldering on the boards to look for the reset pin.

An attacker would do all of this work in advance as Red Balloon did, developing the remote exploit sequence on test devices before deploying it. To launch the attack, hackers would first use a remote root-access vulnerability to get their foothold, then deploy the second stage to defeat secure boot and potentially bore deeper into the Trust Anchor. At that point, victims would have no reason to suspect anything was wrong, because their devices would be booting normally.

“The exposure from this research will hopefully remind the companies out there beyond just Cisco that these design principles will no longer stand as secure,” says Josh Thomas, cofounder and chief operating officer of the embedded device and industrial control security company Atredis. “This is proof that you can’t just rely on the FPGA to do magic for you. And it’s at such a low level that it’s extremely difficult to detect. At the point where you’ve overridden secure boot, all of that trust in the device is gone at that point.”

Even Bigger Problems

Thomas and the Red Balloon researchers say they are eager to see what types of fixes Cisco will release. They worry that it may not be possible to fully mitigate the vulnerability without physical changes to the architecture of Cisco’s hardware anchor. That could involve implementing an FPGA in future generations of products that has an encrypted bitstream. Those are financially and computationally more daunting to deploy, but would not be vulnerable to this attack.

And the implications of this research don't end with Cisco. Thomas, along with his Atredis cofounder Nathan Keltner, emphasize that the bigger impact will likely be the novel concepts it introduces that could spawn new methods of manipulating FPGA bitstreams in countless products worldwide, including devices in high-stakes or sensitive environments.

For now, though, Red Balloon’s Cui is just worried about all of the Cisco devices in the world that are vulnerable to this type of attack. Cisco told WIRED that it does not currently have plans to release an audit tool for customers to assess whether their devices have already been hit, and the company says it has no evidence that the technique is being used in the wild.

But as Cui points out, “Tens of thousands of dollars and three years of doing this on the side was a lot for us. But a motivated organization with lots of money that could focus on this full-time would develop it much faster. And it would be worth it to them. Very, very worth it.”

Read Original Article...

In some countries, many use the internet without realizing it

What is the internet? And who is an internet user? The questions may seem straightforward, but more than a decade of research in the United States and abroad suggests that some people who use the internet may not be aware that they’re doing so. Results from recent Pew Research Center surveys in the U.S. and 11 emerging economies show that confusion about what the internet is stems from two different – but related – sources.

Sizable shares in some countries report owning smartphones but not using 'the internet'First, many people who use smartphones are unaware that the apps and browsers on their devices involve using the internet. In the Center’s survey of emerging economies, as many as 38% of those who say they do not use the internet also indicate that they have a phone that connects to the internet. Due to differences in internet use across these countries, this group represents as much as 14% of the total adult population in South Africa, or as little as 3% in Venezuela.

These mismatches are often highest in developing countriesand can even extend to people who use their smartphones to do things that necessitate using the internet for tasks such as looking for or applying for jobs.

Across 11 developing countries surveyed in fall 2018, one of the defining factors in people’s awareness they are using the internet is whether they have access to a home or office computer. Majorities of “unconscious internet users” (that is, those who say they do not use the internet, but do use social media, a smartphone or a feature phone) lack access to a home computer or tablet, meaning they likely visit the internet primarily through a mobile phone. In three countries, those with lower levels of education are also somewhat more likely to be unconscious internet users, though in most countries there is no relationship with educational attainment. But, while older people are somewhat less likely to use the internet, smartphones or social media than younger people, they are not more likely to be unconscious users.

This phenomenon extends to advanced economies as well: Previous surveys by the Center have found that a small share of people in nearly every country surveyed underreport internet use. Estimates that account for social media use and smartphone ownership tend to be somewhat larger than those that only include people’s self-reported internet use. For example, 90% of South Koreans say they use the internet, when asked, but 97% of South Koreans report using the internet, owning a smartphone or using social media – a gap of 7 percentage points.

Other developed countries also show gaps between these narrow and broad measures of internet use, including Spain (7 percentage points), Italy (5 points) and France (4). And in our most recent technology-focused survey of U.S. adults, conducted in January and February, one-quarter of those who say they do not use the internet do indicate they own a smartphone – although since relatively few Americans do not go online, that group works out to just 2% of the total adult population.

There are people in many countries who use Facebook and WhatsApp but report not using 'the internet'Second, apart from a lack of awareness that smartphones and feature phones connect to the internet, many people who use social media and messaging apps appear unaware that the platforms themselves are part of the broader internet. This is a relatively well-known phenomenon in the case of Facebook: Sheryl Sandberg, the company’s chief operating officer, was once quoted as saying, “People actually confuse Facebook and the internet in some places.” And in countries like the Philippines, Facebook offers a free version that allows users to visit the site without incurring mobile data charges.

Some of this may seem to be a niche issue, mostly of interest to survey researchers. But measurement matters for our understanding of political phenomena and how people access information. As many policies and programs are structured around reaching the population that is not online – “internet for all” – it’s important to have a clear and accurate reading of who is and is not online. Our research also suggests that the dominance of certain providers – especially Facebook and WhatsApp – is important to this understanding given that considerable shares in some countries appear to be using them without even realizing that they’re going online.

Focus groups conducted in the Philippines in March 2018 highlighted the extent to which people used Facebook as a portal to the internet at large, relying on it as a website for online dating, finding jobs and acquiring news, along with general uses like messaging, sharing pictures with family and video calls. As two participants highlighted in one exchange, “It seems like almost all people in the world have Facebook … it seems impossible if you don’t have [a Facebook account].” Indeed, the Philippines stands out for having the largest share of people among these 11 countries who say they use Facebook but also report not being online (12%). Similarly, as much as 10% of the population in South Africa reports using WhatsApp but not using the internet.

As was true with the distinction between smartphones and the internet, this lack of understanding of the nature of social media is not confined to emerging economies. Among U.S. adults who say they do not use the internet, some 14% indicate in each case that they use Facebook or the video sharing platform YouTube.

Taken together, these findings indicate that people can be unaware of what the internet is in a variety of ways. Across all 11 countries surveyed, anywhere from 5% to 25% of the population fits this pattern of being an unconscious internet user. The highest rates of this behavior occur in Kenya and the lowest rates occur in Lebanon and Vietnam.

In some large emerging economies, more than one-in-ten use the internet but don't realize it

Read Original Article...

Windows 10 will soon ship with a full, open source, GPLed Linux kernel

Earlier today, we wrote that Microsoft was going to add some big new features to the Windows Subsystem for Linux, including native support for Docker containers. It turns out that that ain't the half of it.

The current Windows Subsystem for Linux uses a Microsoft-authored kernel component that provided the same kernel API as the Linux kernel but written from scratch by Microsoft. Essentially, it translated from Linux APIs to Windows NT kernel APIs. That worked pretty well, but the current subsystem had a few shortcomings: there was no ability to use Linux drivers, in particular file system drivers. Its file system performance, layered on top of Windows' own NTFS, was often 20 times slower than a real Linux kernel. It was also a relatively old version of the kernel; it offered approximately the set of APIs that Linux 4.4 did, and that was released in 2016. Some APIs aren't implemented at all, and others are only partially implemented to meet the needs of specific applications.

All is changing with Windows Subsystem for Linux 2. Instead of emulating the Linux kernel APIs on the NT kernel, WSL 2 is going to run a full Linux kernel in a lightweight virtual machine. This kernel will be trimmed down and tailored to this particular use case, with stripped-down hardware support (since it will defer to the host Windows OS for that) and faster booting.

The Linux kernel is GPLed open source; the GPL license requires that any modifications made to the code must be published and made available under the GPL license. Microsoft will duly comply with this, publishing the patches and modifications it makes to the kernel. WSL 2 will also use a similar split as the current WSL does: the kernel component will be shipped with Windows while "personalities" as provided by the various Linux distributions can be installed from the Microsoft Store.

By using the Linux kernel itself, Microsoft gets all of Linux's features for free. This is why WSL 2 will support Docker containers: all the underlying infrastructure, such as cgroups, is already in the Linux kernel, and Microsoft won't need to implement the features itself. The embedded kernel will be serviced and updated by Windows Update.

This also provides a big bump to performance. File system-heavy operations such as extracting a tarball can be up to 20 times faster; other activities (such as cloning source code repositories in Git) will be perhaps five times faster.

WSL has already been warmly embraced by developers, as it gives a solid Linux-like development environment. WSL 2 will take that to a new level and all but eliminate the compatibility issues that WSL 1 has.

The first preview of WSL 2 is due to ship in June.

Read Original Article...

Brace yourself, FlySafair is selling tickets for R5 on Tuesday

Every year FlySafair holds a sale where flights on the airline are discounted to ridiculous rates.
This year the same holds true as the airline intends to host a sale where tickets will cost just R5. FlySafair has 45 000 seats to sell for R5 and the sale goes live at 9:00 on Tuesday 7th May.
Now, we can’t talk about a FlySafair sale without talking about the absolute disaster that is the airline’s website during the sale.
Time outs, outright crashes and an inability to even access the website are all common occurrences but this year the airline says things will run a bit smoother.
“Learning from the first year’s website issues, FlySafair implemented what it calls a “Waiting Room” in year two. This is effectively a holding area that allows a random selection of users onto the site every five minutes in order to avoid the website from being overwhelmed,” the airline said.
The waiting room is still in effect this year but things will be a bit different. Buyers will be randomly selected from the waiting room and be granted access to the website.
Once on the website, buyers will have to complete their purchase immediately or the session will expire.
Buyers have been asked to remain in the waiting room as if they aren’t selected the first time around they can be still be randomly selected.
As a way to keep folks busy while they wait, FlySafair will host three competitions in the waiting room.
Free2Fly competition – win a card that lets you fly on any FlySafair flight for free, for 12 months
Jive for R5  – win one of five tickets by uploading a video of you “jiving” for tickets
R5 Madness – win an online shopping voucher for uploading a photo of you in the waiting room.
The airline advises buyers log into the waiting room with multiple devices and be attentive so as not to miss their chance to purchase ticket when the time comes.Will FlySafair get it right this time around? We’ll have to see tomorrow.


Environmental licence for SKA phase one gets green light

The Integrated Environmental Management Plan (IEMP), which gives licence to construct phase one of the Square Kilometre Array (SKA), has been adopted.

This is according to the Department of Science and Technology (DST), which confirmed environmental affairs minister Nomvula Mokonyane gazetted the IEMP.

In terms of SKA development, the environmental affairs department, together with the DST and the South African Radio Astronomy Observatory, consulted communities from towns surrounding the project site in the Northern Cape, and the IEMP is part of that procedure.

The IEMP covers the environmental principles to be followed in the construction and operation of SKA phase one, the environmental monitoring and control activities to be undertaken, as well as the long-term research monitoring programmes to be implemented at the SKA site.

This is the first time an environmental instrument of this kind has been adopted at national level in SA, reveals the DST.

"The department is very pleased with the conclusion of this process that has granted the environmental licence for the construction of SKA phase one to proceed in the Northern Cape," says the DST's acting chief director for astronomy, Takalani Nemaungani.

See also

SA locks in deal to establish SKA Observatory

SKA team completes key infrastructure designs

"I would like to thank these communities and the municipalities, as well as the stakeholders in various sectors affected by the project, for actively participating in the meetings and workshop held by the Council for Scientific and Industrial Research (CSIR), who served as the facilitators," he adds.

The SKA project is an international effort to build the world's largest radio telescope, led by the SKA Organisation. It will be built in two main phases in SA and Australia, with a later expansion in both countries and into other African countries.

The CSIR was appointed to undertake the environmental assessment for SKA phase one. The study, which took three years to complete, covered an area of approximately 628 200 hectares in the Karoo.

The study, states the department, assessed the impacts the construction and operation of phase one of the SKA project might have on local agriculture, heritage, archaeology, visual landscape, terrestrial ecology and biodiversity, as well as local socio-economic aspects.

Further aspects of sensitivity in terms of aviation, defence, telecommunications, weather services, mining, water use, waste management, noise and traffic effects were also investigated.

Dr Rob Adam, MD of the South African Radio Astronomy Observatory, says: "The development of the IEMP for the first phase of the SKA, and the gazetting of its adoption by minister Mokonyane, is yet another milestone towards the realisation of the SKA mid-frequency array in South Africa."

Read Original Article... 
Apple Repairs and Service
Member of the Internet Defense League

BitcoinCash Accepted