F**CKWIT, aka KAISER, aka KPTI – Intel CPU flaw needs low-level OS patches

By Paul Ducklin

In the near future – in all likelihood, later this month – at least Windows and Linux will get security updates that change the way those operating systems manage memory on Intel processors.

There’s a lot of interest, excitement even, about these changes: they work at a very low level and are likely to affect performance.

The slowdown will depend on many factors, but one report suggests that database servers running on affected hardware might suffer a performance hit around 20%.

“Affected hardware” seems to include most Intel CPUs released in recent years; AMD processors have different internals and are affected, but not quite as broadly.

So, what’s going on here?

On Linux, the forthcoming patches are known colloquially as KPTI, short for Kernel Page Table Isolation, though they have jokingly been referred to along the way as both KAISER and F**CKWIT.

The latter is short for Forcefully Unmap Complete Kernel With Interrupt Trampolines; the former for Kernel Address Isolation to have Side-channels Efficiently Removed.

Here’s an explanation.

Inside most modern operating systems, you’ll find a privileged core, known as the kernel, that manages everything else: it starts and stops user programs; it enforces security settings; it manages memory so that one program can’t clobber another; it controls access to the underlying hardware such as USB drives and network cards; it rules and regulates the roost.

Read more at https://nakedsecurity.sophos.com/2018/01/03/fckwit-aka-kaiser-aka-kpti-intel-cpu-flaw-needs-low-level-os-patches/

Children at ‘significant’ social media risk

By Lisa Vaas

Slime.

It’s the most beautiful, satisfying, relaxing thing I’ve ever seen, and it proves that children are geniuses, because they’re smart enough to make it and smart enough to watch online slime videos.

Says 11-year-old Alina:

If you’re like really stressed or something and you watch a really satisfying slime video it makes you like calmer.

So that’s one of many plus sides of how kids – the under-13 crowd – are using social media. They say it takes their minds off things, too: “If you’re in a bad mood at home you go on social media and you laugh and then you feel better,” says 10-year-old Kam.

But according to a Children’s Commissioner report that looked at social media use among 8- to 12-year-olds, children aren’t getting enough guidance to cope with the emotional demands that social media puts on them.

For instance, many children interviewed for the report were over-dependent on “likes” and comments for social validation, according to researchers. They spoke to 32 children in eight focus groups, each including two friendship pairs, grouped by age and gender. The report says that the friendship pairing was done to enable the children to “open up with more confidence during the research, and to allow for insight around peer dynamics and other social factors to emerge more naturally.”

These are some of the things the kids said about getting social validation from social media:

If I got 150 likes, I’d be like, ‘that’s pretty cool, it means they like you’.

I just edit my photos to make sure I look nice.

My mum takes pictures of me on Snapchat… I don’t like it when your friends and family take a picture of you when you don’t want them to.

I saw a pretty girl and everything she has I want, my aim is to be like her.

Speaking to the BBC, Children’s commissioner for England, Anne Longfield, called on schools and parents to prep children emotionally for what she called the “significant risks” of social media as they move schools and meet new classmates, many of whom have their own phones.

Read more at https://nakedsecurity.sophos.com/2018/01/05/children-at-significant-social-media-risk/

Social media namer and shamer charged

By Lisa Vaas

An 18-year-old woman in the UK has been charged with publishing the names of two sexual assault victims onto social media.

A local publication, Liverpool Echo, reports that Sophie Turner, of Merseyside, has been charged with two counts of publishing the names of the victims of a sexual offense and with two counts of harassment.

Turner allegedly posted messages in July about two victimized teenage girls following the sentencing of the two men who assaulted them. She’s now out on bail and due to appear at Liverpool Magistrates Court on 7 March.

The Echo says this is the first time somebody’s been charged with this particular crime in Merseyside, but it’s not the first time it’s happened in the UK.

One such was the infamous rape case for which footballer Ched Evans was convicted in 2012 (a conviction overturned on subsequent retrial). Ten people were accused of naming the victim on social media, including on Facebook and Twitter.

According to The Guardian, some of the defendants said the victim was “crying rape” and called her names. One tweet read: “She is to blame for her own downfall. Let’s find her address.”

As in many other countries, publicly naming rape victims is illegal in the UK. Victims of sexual assault are entitled to anonymity for life under the Sexual Offences Act 2003. It’s not just verboten for media; anyone can be convicted for identifying a victim.

The rationale for keeping victims’ names secret is that sex crimes are already widely under-reported: in 2012, the British Crime Survey found that about 89% of rape victims hadn’t reported the crime to police. What’s more, the conviction rate is vanishingly small: a recent documentary on rape reported that only 3% of rapes in the UK end with a guilty conviction. Victims claim that they’re blamed for the crime or simply not believed. Anonymity is one way to battle the victim-blaming and slut-shaming that keep the crimes unreported and the criminals out of court.

Read more at https://nakedsecurity.sophos.com/2018/01/04/social-media-namer-and-shamer-charged/

Is your Spotify password up to scratch?

By Taylor Armerding

If you’re among the 140 million users who enjoy streaming music from Spotify – especially if you are one of its 60 million paying customers for “premium” services – you might want to make sure you have a strong, long and unique password on your account. If not, you could be letting cybercriminals into your account.

Collective Labs’ Ryan Jackson came across a brute force hacking tool called Spotify Cracker v1 last month, which automatically cycles through known username and password combinations and breaks into Spotify accounts that use those credentials.

17-year-old Jackson, who reportedly has a history of involvement with hacking groups New World Hackers and Lizard Squad, (“while never participating in their antics”), told the International Business Times (IBT) that he found the tool on a private server on Discord – a popular, free online communications platform used primarily by gamers.

And given current Spotify login security protocols – the company doesn’t use CAPTCHAs or offer two-factor authentication (2FA) – it doesn’t meet much resistance. Without mechanisms to lock down an account after a certain number of incorrect password guesses, a brute force attack can simply keep guessing until it is successful.

Read more at https://nakedsecurity.sophos.com/2018/01/04/is-your-spotify-password-up-to-scratch/

Artificial Intelligence to listen for suicidal thoughts on social media

By Lisa Vaas

Canada is planning a pilot project to see if Artificial Intelligence (AI) can find patterns of suicidality – i.e., suicidal thoughts or attempts, self-harm, or suicidal threats or plans – on social media before they lead to tragedy.

According to a contract award notice posted by the Public Health Agency of Canada (PHAC), the $99,860 project is being handled by an Ottawa-based AI company called Advanced Symbolics Inc. (ASI). The agency says the company was the only one that could do it, given that ASI has a patented technique for creating randomized, controlled samples of social media users in any geographic region.

The focus on geographic region is key: As it is, the country is reeling after a dramatic spike in suicides in Cape Breton among girls 15 years old and younger and men in their late 40s and early 50s.

The idea isn’t to identify specific individuals at risk of suicide. Nor is it to intervene. Rather, the project’s aim is to spot patterns on a regional basis so that public health authorities can bolster mental health resources to regions that potentially face suicide spikes.

The project is set to begin this month and finish by the end of June, if not before.

First, the PHAC and ASI will work to broadly define these suicide-related behavior terms: ideation (i.e., thoughts), behaviors (i.e., suicide attempts, self-harm, suicide) and communications (i.e., suicidal threats, plans). The next phase will be to use the classifier to research the “general population of Canada” in order to identify patterns associated with users who discuss suicide-related behavior online.

Read more at https://nakedsecurity.sophos.com/2018/01/04/artificial-intelligence-to-listen-for-suicidal-thoughts-on-social-media/

Ad scripts track users via browser password managers

By John E Dunn

Researchers have spotted a sly new technique adopted by advertising companies to track web users that can’t be stopped by private browsing, clearing cookies or even changing devices.

The method, discovered by Princeton’s Center for Information Technology Policy, exploits the fact that many web users rely on the login managers built into browsers to autofill login details (email address and password) when they visit a familiar website.

Normally this is an innocent process, but on a small number of sites that have embedded either one of two tracking scripts – AdThink and OnAudience – the user is fed a second invisible login screen on a subsequent page that is auto filled by most browser password managers without the user realizing this is happening.

At this point, the scripts capture a hashed version of the user’s email address, which is sent to one or more remote servers run by the advertising companies including, in the case of AdThink, large data broker Acxiom.

But what use is a hashed and therefore unusable email address? Quite simply:

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier.

Email addresses don’t change often or at all, which means:

The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps.

The researchers speculate that tracking users via an email address identifier might even allow advertisers to join different browsing histories together even after cookies have been cleared.

Read more at https://nakedsecurity.sophos.com/2018/01/03/ad-scripts-track-users-via-browser-password-managers/