Connect with us

IOT

This Week in Security: Crosstalk, TLS Resumption, And Brave Shenanigans

Avatar

Published

on

Intel announced CrossTalk, a new side-channel attack that can leak data from CPU buffers. It’s the same story we’ve heard before. Bits of internal CPU state can be inferred by other processes. This attack is a bit different, in that it can leak data across CPU cores. Only a few CPU instructions are vulnerable, like RDRAND, RDSEEED, and EGETKEY. Those particular instructions matter, because they’re used in Intel’s Secure Enclave and OpenSSL, to name a couple of important examples.

[embedded content]

What’s happening here is that a “special register buffer” is shared between all the cores on a CPU, and is only used for a few instructions. That buffer can be inferred by existing data vulnerabilities, like MFBDS (Zombieload) and TAA. The mitigation is rather extreme. The entire processor is paused until the vulnerable instruction completes and the buffer is overwritten. The performance hit can be intense on some workloads.

And in other side-channel news, the Linux kernel just received a few fixes. The first is a fix for certain cases where speculative execution mitigations have been enabled, but they’re not actual active. The second bug was a case of performance optimization gone awry. An attacking process can simply set a couple of flags, and is given a pass, allowing a SPECTRE V4 attack. And finally, it was discovered that it was possible to re-enable speculative execution, and the machine will still report speculation is disabled. These bugs were announced publicly, and are in the process of being fixed.

Brave Browser

A bit of a kerfuffle developed this week around the Brave browser. A twitter user noticed something odd when visiting a few particular sites in the Brave browser — going to a particular web site, Binance.us, ended up sending him to an affiliated link. As you can imagine, this behavior from the browser that sells itself as being privacy-focused wasn’t exactly well received.

What’s going on here? The first detail to note is that the affiliated link was an autofill, not a redirect. The official response clears up what’s going on here. Brave has an option, on by default, to show “Brave suggested sites” as part of the autofill list. These are sponsored links, and have a global referral code baked into the link. According to the official response, it was unintended for the sponsored suggested link to show up first in the list of autocompletes, where it was automatically selected by hitting enter.

GNUTLS 1.3 Compromise

A bug in GnuTLS was recently reported, where session resumption could be abused by a malicious server to launch a MitM attack against a TLS connection. Session resumption is built into the TLS 1.3 protocol, and is a way to avoid a full TLS handshake when a client re-connects to the server. Instead, on initial connection, the server sends an encrypted session snapshot — a session ticket. Because it’s encrypted by the server, the client can’t extract any data from the ticket. On a reconnection, the session ticket is sent instead of the normal handshake, and the included session data is used to resume the encrypted TLS connection.

It’s a good scheme, so long as the session ticket encryption is solid. On the other hand, if a server fails to set a good encryption key, then this scheme is just asking for problems. GnuTLS, up until a few days ago, seemed to be using an encryption key of all zeroes. It’s an unfortunate mistake, and a dangerous one. When a client sends the session ticket to a hostile server, it’s easily decrypted, and the client believes it’s talking to the original server.

Smart Contract Malware

The cryptocurrency world is a developing target for malware. Case in point, a malicious contract that was recently discovered on the Ethereum blockchain. This particular contract is reminiscent of the attack on The Dao back in 2016.

The big selling point of Ethereum is the smart contract. It’s a way to embed code into a blockchain, and automatically run that code on certain conditions. If we’ve learned anything from history like the obfuscated C contest, it’s that code isn’t always what it seems.

In this case, the problem is a reentry vulnerability. If another smart contract makes a withdrawal, this second smart contract has an opportunity to run its own code as a part of the withdrawal action. When that happens, it’s possible to make a call back into the vulnerable contract, and continue extracting money. The attack on a vulnerable contract like this one goes as follows: Deposit at least 1 ETH, which grants the right to make a withdrawal. Wait until others have invested in the same contract, and then use the vulnerability to withdraw everyone’s funds.

But hang on, this isn’t just a vulnerable contract, it’s a malicious one. The part of the contract that allows withdrawing money has a catch: only the creator of the contract is actually able to withdraw any funds. The whole thing is a malicious honeypot. The contract appears to contain an exploitable vulnerability, but really it steals the 1 Ether price of entry from anyone looking to drain the funds.

Breaking CMD.EXE

This is just fun, but as Microsoft doesn’t consider it a real security threat, it still works in Windows 10.

cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe"

What’s the story here? Cmd.exe is first trying to interpret the string as a relative path. “ping 127.0.0.1/” and the first “../” essentially cancel each other out. It’s not a vulnerability per se, but I can only imagine that this particular unexpected behavior could be abused. Imagine a ping test that takes a user input, and uses the cmd /c command to run the test. If user input isn’t sanitized, this quirk can be abused to run an arbitrary command.

Source: https://hackaday.com/2020/06/12/this-week-in-security-crosstalk-tls-resumption-and-brave-shenanigans/

Energy

Energy Harvesting with Bluetooth 5.0

Avatar

Published

on

Energy Harvesting
Illustration: © IoT For All

Energy harvesting technology is likely to be a game-changer for countless industries, offering the potential to bring battery life forever to connected devices. So what is energy harvesting technology – let’s dive in and learn more.

Several popular energy harvesting methods, including photovoltaic/solar, radio frequency (RF), mechanical (motion), thermal, and a low power radio implementation that supports the latest Bluetooth 5.0 standard. Energy harvesting enables certain applications to operate without a battery or with a “forever battery” that automatically recharges for the life of an Internet of Things (IoT) device. In some instances, batteries aren’t needed at all. Just imagine how many batteries would be saved from going into landfills! Not to mention the costs of purchasing and replacing batteries.

This article will look at five top industries – consumer electronics, smart cities, transportation, manufacturing, and fulfillment and entertainment –  where energy harvesting technology promises to make a big impact over the next decade.

Consumer Electronics

Consider all of the different connected devices you have in your home. Many of these devices need to be changed often, while others use batteries that need to be changed anywhere from every few months to every few years. Now think about how nice it would be if your smartwatches, wearables, remotes, keyboards, and other connected devices would run for the entire lifetime of the device – no more remotes dying right when you’re watching the big game.

Smart Cities

During the past few years, there has been a lot of hype and excitement around smart city solutions like sensors that can monitor temperature, humidity, air quality, the presence of gas, etc. These metrics help companies run their facilities more efficiently and safely and allow cities to make more informed decisions about mitigating quality of life issues. Today most of these sensors run on batteries, so it’s no surprise that Bluetooth 5 sensors with energy harvesting technology will become increasingly popular. Plus, the cost savings will allow cities to allocate funds to the things that need it most, like education and healthcare.

Transportation

Car accessories and infotainment devices are also prime targets for energy harvesting technology. Key fobs, for example, need their batteries changed every few years. While changing one every few years might not sound so bad, the consequences of your key fob dying and leaving you stranded makes energy harvesting technology sound a lot more appealing. Plus, with over a billion cars on the road globally, reducing battery usage in these devices – with energy harvesting, Bluetooth 5 and other cutting-edge technologies – will make a huge difference.

Manufacturing and Fulfillment

Many manufacturing and fulfillment centers use asset trackers such as small beacons to help keep track of equipment and shipping goods. These asset trackers help streamline operations and ensure items don’t get lost, meaning that it’s essential that they work at all times. Using Bluetooth 5 asset trackers with energy harvesting technology is saving companies time and money by not having to replace batteries regularly, decreasing overall cost of ownership of these systems. In the future we’ll also see more facilities using robotics that have integrated energy harvesting capabilities.

Entertainment

Theme parks offer fun for the whole family, but it can often be stressful navigating these big, crowded attractions. Using your smartphone’s GPS might be helpful on the road, but it’s often little help at amusement parks. This is doubly true for trying to navigate any places that are indoors. In the future, we’ll see more theme parks adopt Bluetooth 5 locations beacons to help solve this problem. These beacons can send signals to your smartphone. When used with a theme park’s dedicated app, you can get more precise location information so you can focus on having fun. With some theme parks being as large as cities, many batteries are saved from going into landfills, and big cost savings that theme parks can reinvest into exciting new attractions.

These above examples are just five of the many (and ever increasing) adoption of Bluetooth 5 energy harvesting solutions and how they are benefiting the environment while also saving companies time and money. The market will continue to witness the power of energy harvesting now and into the future.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.iotforall.com/energy-harvesting-with-bluetooth-5-0

Continue Reading

Artificial Intelligence

Prioritizing Artificial Intelligence and Machine Learning in a Pandemic

Avatar

Published

on

AI and ML
Illustration: © IoT For All

Artificial Intelligence (AI) and Machine Learning (ML) give companies the one thing humans can’t – scalability. Over time, humans limit a businesses’ ability to scale; they can only work so many hours at a given efficiency. On the other hand, AI and ML can work around the clock with the sole focus on a given project. As organizations navigate through COVID-19’s impact and the future of a remote workforce, scalability and efficiency can be the key to an organization’s successful recovery.

Implementation Challenges

The benefits of AI and ML don’t come without their own challenges; however, the top challenges are a lack of skills and time for proper implementation. In July, Deloitte found in a survey that 69% of respondents said the skills gap for AI implementation ranged from moderate to major to extreme. Simultaneously, many companies overlook the investment it takes to build the processes and infrastructure needed for successfully training, testing, deploying, and maintaining AI and ML in their enterprise.

Such challenges often cause companies to de-prioritize AI and ML projects, especially in times of uncertainty. That has been increasingly obvious throughout the COVID-19 pandemic. But while some organizations have drawn back on their efforts, the current global state demands the greater need for AI and ML to support critical business processes. This is especially true today given the growing remote workforce, considerations for returning to the workplace and work happening in silos worldwide.

Though challenging, it is not impossible to properly implement AI and ML. In this evolving COVID-influenced business landscape, four steps are key to effectively implementing a strong AI and ML system that helps streamline critical business processes despite uncertainty and limited resources.

Identify the Problem to Be Solved

Some companies mistakenly view AI and ML projects as a ‘silver bullet’ to solve all their problems. This often results in overinflated expectations, an unfocused approach, and unsatisfactory results. Instead, companies should identify those specific problems that will have the biggest impact from implementing AI and ML solutions and be hyper-focused on solving those problems.

Select Your Data

The second step in creating a strong AI and ML algorithm is to select the source data that your algorithm will be training on. There are two main options: training on your own data or training on a larger scale data set. Based on experience, training your algorithm on your own data puts you at a disadvantage. By training on a larger scale data set, the likelihood of success increases because your data is more representative and varied. Through advanced concepts such as transfer learning, companies can use semi-trained models based on larger data sets and then train the “last mile” using their own specific content unique to their business.

Clean House

The standby rules of data management apply here – garbage in, garbage out. Ultimately, the quality and accuracy of machine learning models depend on being representative. AI and ML – fed with the right data – can streamline operations and increase the benefit of companies’ DX and cloud migration journeys.

When you’re kicking off an AI or ML project, the most critical step is to clean up the data that your algorithm will be training on, especially if you’re using your own data or models.

Make Room for Training

AI and ML are all about probability. When you ask it a question, for example, “Is this a cat?,” the results you receive are the algorithm saying, “Out of the three buckets I was trained on, the likelihood of this image being a cat is .91, the likelihood of this image being a dog is .72 and the likelihood of this image being a bird is .32.”

This is why training on varied data is so important. If your training data only includes images of cats, dogs, and birds and you ask the algorithm to analyze the picture of a crocodile, it will only respond based on the buckets it’s been trained on – cats, dogs, and birds.

If you’ve properly selected and cleaned your data, training should be an easy last step, but it’s also an opportunity to go back to the first two steps and further refine based on your training.

The front end of training an AI and ML algorithm can be time-intensive, but following these four steps can make it easier to achieve significant outcomes. Across industries, AI and ML can quickly show ROI. For example, in the insurance industry, AI and ML can help insurers quickly search contracts, so employees aren’t sifting through contracts and repositories around the globe to answer simple questions. This means time efficiencies for an industry that COVID-19 has heavily impacted.

Even better, working with a SaaS provider with experience in your industry can make this process much easier and less costly. SaaS platforms allow companies to take advantage of having all of the infrastructure, security, and pre-trained models in place to reduce the overall effort and time to value. Many platforms allow users to uptrain the predefined models with unique customer data, reducing the training effort needed for model creation. Companies can then focus on integration with their ecosystem and workflows rather than model creation itself.

Bigger Picture

Overall, businesses can soften the impact of COVID by focusing on the bigger picture with AI and ML. Implementing AI and ML projects increase business productivity despite these times of uncertainty. As we continue on the road to recovery, we need tools like AI and ML to stay focused on the bigger picture, mission-critical tasks.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.iotforall.com/prioritizing-artificial-intelligence-and-machine-learning-in-a-pandemic

Continue Reading

IOT

Avatar

Published

on

Continue Reading

IOT

Avatar

Published

on

Continue Reading
Esports5 days ago

Dota 2 patch 7.29b brings nerfs to Phantom Lancer and Lifestealer amongst other hero balance changes

Esports5 days ago

Apex Legends Season 9 will add new hero, fix Banglore bugs

Esports5 days ago

Code S: Trap & Zest advance to RO8, playoff bracket set

Esports5 days ago

New CSGO Update Makes Items Purchased From Store Non Tradable for a Week

Blockchain3 days ago

Mining Bitcoin: How to Mine Bitcoin

Esports5 days ago

Radiant Valorant streamer Solista banned for cheating on live stream

Fintech4 days ago

Fintech offers brokers better commissions after BID

Esports5 days ago

How to Calculate Steam Market Tax on CSGO Items

Esports4 days ago

OWL 2021 Power Rankings – #9 Guangzhou Charge

Blockchain4 days ago

Stanislovas Tomas im Interview: „NFTs können unsere Gesellschaft verändern“

Esports4 days ago

xQc Banned From NoPixel GTA RP Server Once Again

Esports5 days ago

OWL 2021 Power Rankings – #10 Washington Justice

Esports4 days ago

CDL Challengers Elite Stage 3 Preview

PR Newswire3 days ago

Hello Pal Signs Definitive Purchase Agreement to Acquire Interest in Dogecoin/Litecoin Mining Assets

Coinbase hourly chart
Blockchain3 days ago

Coinbase Addresses Future Revenue Concerns With Plans to Become Crypto’s Amazon

Esports5 days ago

Zayt Retires From Competitive Fortnite For The Second Time

Esports4 days ago

Twitch streamer Lando Norris takes Italian F1 Grand Prix podium

Esports5 days ago

Dota 2: DPC Weekly Recap — SEA Apr 12-17, 2021

Esports4 days ago

Three takeaways from the SWT Japan Ultimate Online Qualifier

Esports4 days ago

Cloud9 Perkz says Kassadin can’t ever be balanced in LoL

Trending