Category Archives: Stiri IT Externe

OpenSSL 3.0 Release Candidate Arrives With Big Changes


The OpenSSL project today shipped their OpenSSL 3.0 Beta, which is their equivalent to a release candidate ahead of the planned official 3.0.0 release next quarter.

OpenSSL 3.0 has been in the works for a while as a major redesign to this widely-used critical open-source security component and is now more extensible and provides a number of new features over the current stable 1.1 series. Also another fundamental change is OpenSSL 3.0 is now licensed under the Apache 2.0 license.

OpenSSL 3.0 has migrated to a provider-based architecture for allowing greater flexibility. fully “pluggable” TLSv1.3 groups, new encoder and decoder support, a complete Certificate Management Protocol (CMP) implementation, new APIs, and integrated support for kernel TLS are among the many big changes coming with OpenSSL 3.0.

This OpenSSL 3.0 beta (release candidate) comes after more than one dozen alpha releases in recent weeks.

More details on today’s OpenSSL 3.0 release candidate can be found via the project site at Many more technical details on the plethora of changes for OpenSSL 3.0 can be found via the OpenSSL Wiki. OpenSSL 3.0.0 stable is expected to come in Q3.

KDE Plasma 5.22 Released with Better Stability… » Linux Magazine

The KDE Plasma developers have been incredibly busy this cycle, refactoring code, fixing bugs, and adding new features, all of which come together to bring even more performance to the desktop environment. The developers are so proud of this release (and the work they’ve achieved) that they created a showcase site to highlight everything found in KDE Plasma 5.22.

The latest release is all about general eye candy and usability. And it shows.

One of the most exciting new features to be found in KDE Plasma is called Adaptive Transparency, which will transition between translucent to opaque, depending on if there are any maximized windows. So when an app window is maximized, the panel will be opaque. If there are no maximized windows, the panel will be translucent. Of course, users can opt-out of this feature and make the panel always translucent or always opaque.

Other new features include a speed dial page for the System Settings app, which gives you direct access to your most commonly used settings. The System Tray will now house widgets that are much more consistent in appearance and a completely redesigned digital clock that improves the look of the widget and allows users to configure how the date/time is displayed. Users can also opt to disable offline updates, select audio device profiles from the volume widget, see all clipboard contents (using the Super+V keyboard shortcut), and KSysguard has been replaced by the new Plasma System Monitor.

If you’re interested in checking out the latest KDE Plasma desktop, it’s now available in KDE Neon.

Source link

VPN Attacks Surged in First Quarter

Attacks against virtual private network (VPN) products from Fortinet and Pulse Secure surged dramatically in the first quarter of 2021 as threats actors tried to take advantage of previously disclosed vulnerabilities that organizations had not patched.

Log data collected by Nuspire from thousands of devices at customer locations show attacks against Fortinet’s SSL-VPN increased 1,916% from the beginning of the quarter as threat actors tried to exploit a path traversal vulnerability in the technology (CVE-2018-13379) that could allow unauthenticated attackers to download files. Attacks targeting Pulse Connect Secure VPNs, meanwhile, jumped 1,527% during the same period as adversaries went after an arbitrary file disclosure vulnerability in the product (CVE-2019-11510) with a maximum possibility severity rating of 10.

Both vendors issued patches for the flaws in their respective products a long time ago, and security analysts have for some time been warning of high adversary interest in the vulnerabilities. As far back as January 2020, for example, Tenable had warned of threat actors leveraging the Pulse Connect Secure flaw to distribute the Sodinokibi ransomware strain. In April, the NSA, FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) identified Russia’s Foreign Intelligence Service (SVR) as targeting the Fortinet and Pulse Secure VPN flaws in attacks against US and allied networks.

Jerry Nguyen, director of threat intelligence and rapid response at Nuspire, says the large spike in activity targeting VPN devices in Q1 2021 had to do with organizations not patching these vulnerabilities despite previous warnings.

“The US CIRT released a number of reminder alerts that attackers were looking at these VPNs and people should patch,” Nguyen says. “The biggest thing we are seeing with VPNs [is that] everyone is looking at the endpoint and not the perimeter when they need to look at both.”

Other vendors, such as Digital Shadows, have reported a similar heightened attacker interest in VPNs, especially after the COVID-19 outbreak and the subsequent shift to a more distributed work environment. One reason for the interest is the broad access that a compromised VPN appliance can provide an attacker, analysts have noted.

Read the rest of this article on DarkReading

Source link

Intel Speed Select Driver Issue Was Hurting Performance In Some HPC Benchmarks


Intel’s Speed Select Technology introduced since Cascade Lake for providing more granular power/performance controls was done in the name of performance but it turns out an ISST Linux driver inefficiency could lead to a 10%+ performance hit for some HPC benchmarks.

Public details are scarce on this latest Intel Speed Select Technology Linux driver change but when making use of this ISST code on select systems and for unspecified HPC workloads it could lead to reported 10%+ performance penalties for some high performance computing benchmarks. The issue stems from the CPU to PCI device mapping carrying out a linear search of PCI devices on systems and in particular for massive servers this could prove to be very expensive.

Fortunately, a patch is pending to optimize the CPU to PCI device mapping for the ISST kernel code. The patch noted, “It was observed that some of the high performance benchmarks are spending more time in kernel depending on which CPU package they are executing. The difference is significant and benchmark scores varies more than 10%. These benchmarks adjust class of service to improve thread performance which run in parallel. This class of service change causes access to MMIO region of Intel Speed Select PCI devices depending on the CPU package they are executing.

That slow function dramatically hurt some benchmarks when running on large servers with many PCI devices to search through in a linear manner. The optimization catches the device and function to relieve that overhead and in turn “improves performance of these benchmarks significantly.”

It’s a narrow scope of impact but if running HPC workloads and making use of Speed Select, it may be of interest. It also is just another recent example of the increasing complexity of CPU power management features/controls having the potential for significant unintended consequences.

Simplifying Device Provisioning On Private Mobile Networks

Enabling enterprise campus connectivity requires IT staff to plan what mobile devices need to be supported as well as how to best manage their access and security. 

As enterprises widely embrace private mobile networks to gain more deterministic wireless connectivity, coverage, and performance, they are faced with some new device challenges.  One of the biggest challenges is provisioning and bootstrapping user equipment (UE) on enterprise private cellular networks.

In cellular-connected devices of LTE and 5G networks, the SIM (Subscriber Identity Module) contains the credentials or subscription needed to access the service of a particular mobile network.

Credentials can be defined within a SIM or embedded SIM (eSIM) that are provisioned in the UE. SIMs and eSIMs require specific formatting as independent profiles, even if they contain the same information. The credential itself can be put into a physical SIM (removable) or embedded SIM (non-removable). Each of the physical SIM and eSIM modules can support one or more subscriptions.

In response to growing interest in the use of eSIMs, the GSMA (GSM Association) has developed a specification for eSIM use. The goal of the specification is to ensure interoperability and independence for organizations using eSIM technology.

The GSMA specification also defines the processes, systems, and interfaces for remotely

managing eSIMs in a secure and standardized way, so everyone uses the same techniques for downloading, enabling, disabling, and deleting subscriptions.

With the current GSMA specification, to support dual-SIM dual-standby (DSDS) operation, one of the SIM credentials must be in the physical SIM and the other an embedded SIM. Essentially, both credentials cannot come from physical SIM or embedded SIM. However, each of the physical SIM/eSIM can host multiple credentials with at most one credential active at a time.

This new kind of SIM, often referred to as an eUICC (Embedded Universal Integrated Circuit Card), works with any operator subscription in any part of the world, supports multiple subscriptions, and can be programmed to update subscriptions, as required, with an OTA (Over-The-Air) update.

eSIM and eUICC are often used interchangeably, even though there is a difference between the two. The eSIM is the hardware component of the SIM and a physical form that can be soldered into a solution. The eUICC is the software component that allows the remote SIM provisioning of multiple network profiles.

A welcomed change to managing cellular access

Traditionally UEs (such as smart phones consumers use every day) use physical SIM cards that are provided by the cellular mobile network operator. The eSIM represents a significant shift in how to manage cellular connectivity because it allows easily accessing different cellular networks without swapping out the SIM or having any other physical access to the device. For the enterprise, this means much-improved efficiency in distributing user credentials for any size of network.

Within a conference or convention center, for example, credentials can be recycled and made available to specific users in a transient manner and subsequently revoked and reused for other users as demands dictate. This helps maximize the device investment.

Embedded SIM technology that enables remote provisioning of a SIM has been commercially

available for several years, but only in proprietary solutions. The landscape for standardized eSIM support is quickly changing. Among others, Zebra and Apple now support the use of multiple SIMs as well as eSIMs in select devices.  And the universe of eSIM support is growing fast.

Within Apple’s IOS, for example, users can specify preferences with the primary and secondary cellular subscriptions between the physical and embedded SIM profiles provisioned on the mobile device (see diagram below).

Ultimately, the goal is to provide the ability to dynamically transition voice and data services across the physical and embedded SIM credentials based on available network connectivity.

Flexible eSIM provisioning options

The provisioning of the eSIM profile can occur in a variety of different ways. One method is for the UE to scan a QR code containing the specific eSIM credential, which then pulls the eSIM profile to the device.

Another method is the use of existing mobile device management (MDM) systems such as JAMF or AirWatch. These MDM systems can be used to generically send devices to a specific SIM provisioning platform that pushes a selected credential to the device. In this model, the eSIM credential to be assigned to the UE is paired with the EID (embedded identity document) of the device, and when the UE accesses the server, this credential is pushed to the device. The EID is a built-in SIM card identifier within the phone.

The IoT model is typically intended for headless devices. The device reaches a predefined SM-SR (subscription manager secure routing) server where it can be authenticated, and the SIM provisioning platform pushes a credential pre-assigned to the device when it accesses the server. The SM-SR server securely delivers the encrypted operator credentials to the SIM and then, once the credentials are installed, remotely manages the SIM allowing the ability to enable, disable or delete credentials as necessary.

While the eSIM ecosystem remains relatively young, the operational benefits derived from the technology are compelling.

eSIMs can increase flexibility, optimize cost, and add longevity to IoT devices by providing more flexible deployment options, thereby helping to maximize the return on (IoT) investment.

A myriad of enterprise use cases

Given that a UE needs to potentially support multiple enterprise credentials on the device and also support adding them dynamically, hosting the enterprise credentials as eSIM is an ideal solution for a wide range of enterprise environments.

The increased use of eSIM technology is perfect for devices or IoT systems that have very long lifetimes. This gives IT staff the ability to easily optimize coverage and reprovision devices to access more optimal cellular networks without human intervention in the field to physically swap SIM cards in myriad devices.

eSIM technology is also essential within large-scale deployments, especially those

with devices in hard-to-reach locations. Being able to change network access credentials using an OTA update can save a considerable amount of time and money.

Also, for some enterprises, there is a desire for the mobile devices to roam between the enterprise cellular network (e.g., CBRS LTE network) and a cellular network. For example, smartphones or handheld devices used by a mobile workforce may need to roam in and out of enterprises network for the mobile workforce for use cases such as enterprise delivery fleet. In such scenarios, dual SIM devices (with pSIM plus eSIM) can be used with two separate subscriptions, one belonging to the enterprise network and the other provided by a cellular network operator.    

Finally, eSIMs are extremely useful for industrial applications, especially those that require devices to operate in harsh environments. Using eUICC technology that’s soldered into place and not housed in a plastic card, organizations cannot only increase the life expectancy (and boost security) of devices but also gain greater flexibility in performing moves, adds, and changes.

As enterprises embrace private cellular networks, eSIM technology is widely viewed as a welcomed new technology for any company looking to reduce the friction and increasing the flexibility of onboarding client devices – something IT staff can tell you all about.

Mehmet Yavuz is Co-Founder and CTO of Celona.

Source link