Security Bits Logo no alpha channel

Security Bits – 12 January 2020

Commentary by Allison — Bart is testing out a new format which in theory will cut the time it takes him to do Security Bits in half. This week is 4 weeks worth of security news so it’s not the best test case, but the new format is here. We welcome feedback on it as always!

Feedback & Followups

Listener Feedback

Hi Allison,

Just want to clarify a law in regards to the Singapore law that Bart was talking about.

The law states that if the government finds a post that is considered fake news, the original post is to remain but Facebook (or whoever) has to add a section to it stating that the Singapore government considers this fake news and the carry a link to a page that would explain why the Singapore government considers it fake.

So all Singaporeans who view this page would be allowed to read the government’s side of the story and it would be up to the user to decide who is right.

The law never state that the original post is to be edited by the author or Facebook.

If you are interested, you can have a read of this article www.straitstimes.com/…

I mean, you can look at it from a negative point of view and say that another government is treading on people’s rights. But you can also look at it from the point of view that that everyone should be give a right to read both sides of a statement and make a decision themselves.

I know that most of your listeners would believe that Singapore is an authoritarian state but if you ever live here or talk to others from USA or UK that live here, that is far from the truth. The government doesn’t listen to all conversations and does not shutdown dissent if they are allowed to rebut. Whether that is the right thing to do is another question.

And I am critical of my government but in my view this law shouldn’t be a big issue as nobody needs to change their posts if they don’t want to.

Desmond
from Singapore

And an addendum from Desmond:

Just want to make a correction in my email. It seems that there is part of the law which requires the user to take down their post but it has not been used as of now. But from the looks of it, I think this part will be used if it is somehow related to national security (an overused phrase that is so loaded). There are of course appeals to the directive the highest of which is going to court.

Updates/Developments

🧯Deep Dive — Plundervolt

In December security researchers released details of a bug in some Intel CPUs that they’ve given the catch name Plundervolt.

The vulnerability uses that fact that very subtly reducing the CPU’s voltage can cause the CPU to start to make predictable mistakes when multiplying numbers together. This can be used to trick SGX (Security Guard Extensions), Intel’s equivalent of Apple’s secure enclave, into read the wrong memory address when it’s trying to read a cryptographic key. This effectively defeats SGX.

Intel have released a BIOS patch that removes the instruction for tweaking the voltage, making the attack impossible.

There’s no need for regular users to worry because most computers don’t support SGX, and those that do have it turned off by default, and very few home users would go to the trouble of opening their BIOS settings to turn it on.

Links

  • A really good explanation of how the attack works, what the implications are, and why we don’t need to stress over it — nakedsecurity.sophos.com/…

Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers

  • 🎧 I recommend this entire (sadly short) podcast series very highly. Linked is a security-related episode that I think makes the perfect introduction to the show for this audience: Cautionary Tales: The Rogue Dressed as a Captain — overcast.fm/…
  • 🎧 Another podcast recommendation. Hackable by McAfee is a podcast series that takes a first-hand look at what it’s like to be exploited by the attacks we hear about in this segment all the time. The host invites security researchers to demonstrate threats to the audience by hacking him or one of his colleagues at McAfee. I’ve listened to every episode and they’re all superb, but I think this specific episode will serve as a particularly good introduction to the series: Hackable?: And We’re In — overcast.fm/…
  • 🎧 A great holiday special from the wonderful Darknet Diaries podcast – the true story of a penetration test told as a classic Noir detective story (think Dixon Hill on Star Trek TNG) — Darknet Diaries 55: NoirNet — overcast.fm/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published.

Scroll to top