AMD publishes technical assessment on CTS Labs' vulnerability reports

About a week ago CTS Labs, a Tel Aviv-based cybersecurity startup, made a public disclosure on vulnerabilities affecting AMD Ryzen and EPYC processors. Linus Torvalds reacted1 harshly to those premature claims: “When was the last time you saw a security advisory that was basically ‘if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?’ Yeah.” Various media reports spoke lenghily about the CTS Labs reports. [Read More]

linux.com website compromised?

The fifth season of History’s show Vikings premiered1 last week. I am subscribed to Netflix and unfortunately it’s scheduled for December. Even worse perhaps it won’t be available on Netflix Mauritius. Meanwhile the internet is full of spoilers about the “delights” of the 2 hours long premiere (episodes 1 & 2). Funny thing is that while searching about Vikings on the internet something peculiar appeared in Google search results. Indeed, the linux. [Read More]

Apple MacOS root access flaw

20 hours ago, Lemi Orhan Ergin, a software craftsman from Turkey, tweeted Apple to draw the latter’s attention to a security issue. It was not a vulnerability that required advanced skills to exploit. Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple? — Lemi Orhan Ergin (@lemiorhan) November 28, 2017 [Read More]

IBM to withdraw support for TLS 1.0 and 1.1

On the 28th November 2017 IBM announced1 it would stop supporting TLS 1.0 and 1.1 in several of its cloud products as from the 1st of March 2018. TLS 1.2 will continue to be supported. The change follows IBM’s commitment to offering secure cloud services and adhere to industry best practices. Transport Layer Security (TLS) is a cryptographic protocol that allows HTTPS to conduct secure transactions on the Internet. TLS 1. [Read More]

Can the MNIC really combat identity fraud?

If one reads the judgment of the Supreme Court in the case Madhewoo M vs State of Mauritius, one would find that a major argument that held the ruling in favor of the State is that of being able to prevent multiple enrollments; that is prevent a person from having multiple identity cards under different names. Below is a extract of the judgment where the former Project Director of MNIC, Mr Rao Ramah explained how they leverage the use of fingerprints to detect and prevent re-registration attempts. [Read More]

Offences under the Mauritius National Identity Card Act

If a country has strict border security with biometric identification, you may still decline to visit the country, but if your own government makes it compulsory to give fingerprints for an identity card then you’re an outlaw for refusing same. The fear of paying Rs 100, 000 fine and five years of imprisonment has certainly made many people rush to the national identity card conversion centres. I had friends and relatives sending me messages asking whether it is true that they could be jailed for refusing to give their fingerprints for the national identity card. [Read More]

Should we consider fingerprint minutiae as biometric data?

I wrote a letter to the Data Protection Commissioner today in order to obtain some clarification on whether fingerprint minutiae is biometric data. The Supreme Court of Mauritius in its verdict in the case JUGNAUTH Pravind Kumar (Hon) vs The State of Mauritius (2015 SCJ 178), said the following: « we grant a permanent writ of injunction prohibiting the defendants from storing, or causing to be stored, as the case may be, any fingerprints or biometric information data obtained on the basis of the provisions in the National Identity Card Act and the Data Protection Act. [Read More]

CERT-MU, no action against spam in Mauritius

I received emails about a Valentine’s sales offer on four of my email addresses; both work and personal. I never subscribed to receive commercial offers from that company which is based in Mauritius. In the absence of clearly defined laws and inaction from authorities, businesses in Mauritius feel it is okay to just send you offers by email. They do not realize that an email is not a webpage where they can sell their ads. [Read More]

Google Chrome hides SSL certificate details button

Until a few days ago, at least if you have not updated Google Chrome to version 56, you could simply click on the green padlock in the address bar to view SSL certificate details. Google Chrome now hides SSL certificate details from the padlock. Many users who had the habit to look at certificate details to obtain information on the issuer, expiry date or SANs (SubjectAltName) would just find the missing “details” button annoying. [Read More]

Ministry of Public Infrastructure database hacked remotely, Minister says.

I read an article on lexpress.mu today that mentioned the Minister of Public Infrastructure saying a database of the ministry was “hacked”. The article is accompanied by a video in which we see the Minister clearly stated the word “hack”. While I am glad and I appreciate the guts of the Minister to make such a public declaration, I also realize that the lack of transparency might have covered up security breaches in the past. [Read More]