Samsung Electronics today announced that it is bringing its next generation laundry innovation to the U.S.: the WW6850N washing machine featuring
20th Century Fox, Panasonic Corporation and Samsung Electronics today announced updates to the associated certification and logo program for the open,
There’s no denying it – the PC industry has changed. With tablets, smartphones, and wearables, we have the ability to shape our computing experience around our
Samsung Electronics today announced the Samsung Notebook 7 Spin (2018), a versatile notebook that provides consumers with the accessibility needed to
Today, attacks on our computers can be launched in against an exponentially larger set of places on the network, actors in the system, and layers in the software and hardware stack. What is the solution then? The answer is a new technology called end-t…
It’s right around the corner… Cisco Live Europe 2018 in Barcelona, and I absolutely can’t wait! Every Cisco Live I’ve ever been to, or presented at, has been an amazing experience, but Barcelona is going to be in a league of its own. From the moment I arrive in Spain on Friday morning the entire […]
While drones will continue to get embedded more and more in industrial field operations, we believe that drone adoption will spread quickly to many other industries.
The Internet of Things – the increasingly connected world in which we live – is rapidly expanding. We love our convenient and fun devices – like personal assistants, wearables, speakers, cameras, TVs, cars, home alarm systems, toys and appliances. But it’s important to understand that connected devices rely on information about us – such as […]
Since then, there’s been considerable discussion about what this means for Google Cloud and the industry at large. Today, we’d like to clear up some confusion and highlight several key considerations for our customers.
Independent researchers separately discovered and named these vulnerabilities “Spectre” and “Meltdown.”
Project Zero described three variants of this new class of speculative execution attack. Variant 1 and Variant 2 have been referred to as “Spectre.” Variant 3 has been referred to as “Meltdown.” Most vendors are referring to them by Common Vulnerabilities and Exposures aka “CVE” labels, which are an industry standard way of identifying vulnerabilities.
There’s no single fix for all three attack variants; each requires protection individually.
Here’s an overview of each variant:
Variant 2 (CVE-2017-5715), “branch target injection.” This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software protection called “Retpoline” to binaries where concern about information leakage is present. This variant is currently the basis for concern around Cloud Virtualization and “Hypervisor Bypass” concerns that affect entire systems.
Variant 3 (CVE-2017-5754), “rogue data cache load.” This variant is the basis behind the discussion around “KPTI,” or “Kernel Page Table Isolation.” When an attacker already has the ability to run code on a system, they can access memory which they do not have permission to access.
For more information on these variants, please read this week’s Google Security post.
Google’s engineering teams began working to protect our customers from these vulnerabilities upon our learning of them in June 2017. We applied solutions across the entire suite of Google products, and we collaborated with the industry at large to help protect users across the web.
G Suite and Google Cloud Platform (GCP) are updated to protect against all known attack vectors. Some customers may worry that they have not been protected since they were not asked to reboot their instance. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers. Via live migration we can patch our infrastructure without requiring customers to reboot their instances.
Customers who use their own operating systems with Google Cloud services should continue to follow security best practices and apply security updates to their images just as they would for any other operating system vulnerability. We’re providing an up-to-date reference on the availability of vendor patches for common operating systems on our GCE Security Bulletin page.
There has been significant concern in particular about “Spectre.” The use of the name “Spectre” to refer to both Variants 1 and 2 has caused some confusion over whether it’s “fixed” or not.
Google Cloud instances are protected against all known inter-VM attacks, regardless of the patch status of the guest environments, and attackers do not have access to any customers’ data as a result of these vulnerabilities. Google Cloud and other public clouds use virtualization technology to isolate neighboring customer workloads. A virtualization component known as a hypervisor connects the physical machine to virtual machines. This hypervisor can be updated to address Variant 2 threats. Google Cloud has updated its hypervisor using “Retpoline,” which addresses all currently known Variant 2 attack methods.
Variant 1 is the basis behind claims that Spectre is nearly impossible to protect against. The difficulty is that Variant 1 affects individual software binaries, so it must be handled by discovering and addressing exploits within each binary.
Risks that Variant 1 would pose to the infrastructure underpinning Google Cloud are addressed by the multiple security controls that make up our layered “defense in depth” security posture. Because Google is in full control of our infrastructure from the hardware up to our secure software development practices, our infrastructure is protected against Variant 1. You can read more about the security foundations of our infrastructure in our whitepaper.
We work continuously to stay ahead of the constantly-evolving threat landscape and will continue to roll out additional protections to address potential risks.
In many respects, public cloud users are better-protected from security vulnerabilities than are users of traditional datacenter-hosted applications. Security best practices rely on discovering vulnerabilities early, and patching them promptly and completely. Each of these activities is aided by the scale and automation that top public cloud providers can offer — for example, few companies maintain a several-hundred-person security research team to find vulnerabilities and patch them before they’re discovered by others or disclosed. Having the ability to update millions of servers in days, without causing user disruption or requiring maintenance windows, is difficult technology to develop but it allows patches and updates to be deployed quickly after they become available, and without user disruption that can damage productivity.
Spectre and Meltdown are new and troubling vulnerabilities, but it’s important to remember that there are many different types of threats that Google (and other cloud providers) protect against every single day. Google’s cloud infrastructure doesn’t rely on any single technology to make it secure. Our stack builds security through progressive layers that deliver defense in depth. From the physical premises to the purpose-built servers, networking equipment, and custom security chips to the low-level software stack running on every machine, our entire hardware infrastructure is Google-controlled, -secured, -built and -hardened.
On most of Google’s workloads, including our cloud infrastructure, we’ve seen negligible impact on performance after applying remediations. This was explained further in our follow-up Security blog post on January 4.
There are many conflicting reports about patch impacts being publicly discussed. In some cases, people have published results of tests that focus solely on making API calls to the operating system, which does not represent the real-world scenario that customer software will encounter. There’s no substitute for testing to determine for yourself what performance you can expect in your actual situation. We believe solutions exist that introduce minimal performance impact, and expect such techniques will be adopted by software vendors over time. We designed and tested our mitigations for this issue to have minimal performance impact, and the rollout has been uneventful.
Technical details from Project Zero about these vulnerabilities
Information about these vulnerabilities and mitigations across all Google products
Additional information about impacts to performance
Our Support page offers a list of affected Google products and will be updated with their current status of mitigation against these risks
Our GCP Security Bulletins page will provide notifications as other operating system maintainers publish patches for this vulnerability and as Compute Engine releases updated OS images
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between December 29 and January 05. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically […]
It’s a new year, and some of this week’s trends (with data from Google News Lab) are about adjusting: to a new gym routine, unexpected weather, and a new law in California.
New Year’s resolutions = more searches for “gyms near me.” In fact, search interest in the phrase hit an all-time high this month. Despite a heightened desire to hit the gym, interest in “new year diet” was 200 percent higher than “new year exercise” this week. Looking ahead to the new year, people are wondering: “What is a New Year’s resolution for kids?” “What is the history behind New Year’s resolutions?” and “Who made the first New Year’s resolution?”
“What is a bomb cyclone?” was a top-searched question this week as a massive winter storm hits the east coast of the U.S. Snow is showing up in unexpected places around the country as well. When people search for “Snow in…” the post popular locations are Florida, Tallahassee and Orlando. And with cold weather taking over, search interest in “frozen pipes” has reached its highest point this week since 2004. Top “how to” searches include “how to thaw frozen pipes,” “how to keep pipes from freezing,” and “how to fix frozen pipes.”
Despite the cold weather, people have something warm to look forward to: The lineup for Coachella 2018 was announced this week, and search interest in “Coachella tickets” went up nearly 6,500 percent. Coachella-goers are already looking into lodging, with “Coachella airbnb” searched 100 percent more than “Coachella hotel.” The top-searched Coachella performers were Cardi B, Eminem, Beyoncé, Post Malone and Migos.
Recreational marijuana was people’s minds (and on sale for the first time in California) this week. In California, top questions included “where to buy legal weed in Los Angeles,” “What is the tax on weed in California,” and “Where can I buy marijuana?” Meanwhile, following the announcement that the Justice Department is rescinding a policy that enabled legalized marijuana to flourish in many states, the top trending question nationwide was “Why are marijuana stocks down?”
For the first time, two SEC teams—University of Alabama and University of Georgia—will face off in the College Football National Championship on Monday. Though the game’s outcome is yet to be decided, search interest in “Alabama Crimson Tide football” is beating “Georgia Bulldogs football” by 190 percent. After Georgia’s overtime win in the semi-final, the top trending college football questions this week were about overtime: “How does overtime work in college football?” “How many overtimes are in college football?” and “How long is overtime in college football?”
Both the Google Assistant and Google Home had a very big year in 2017, with new devices, new languages and new features. The Assistant is now available on more than 400 million devices, including speakers like Google Home, Android phones and tablets, iPhones, headphones, TVs, watches and more. We brought the Google Assistant to a dozen countries, from France to Japan, offering help in 8 languages around the globe.
With Google Home Mini and Google Home Max in addition to our original Google Home, we brought you even more ways to use the Assistant in your home. So it’s no wonder we’ve sold tens of millions of all our Google devices for the home over this last year. And in fact, we sold more than one Google Home device every second since Google Home Mini started shipping in October.
As we’ve added more features—like Voice Match, Broadcast and Hands-Free Calling—the Google Assistant has become even more helpful. Your Assistant now gives you the power to voice control more than 1,500 compatible smart home devices from over 225 brands. With all these choices, you’ve connected millions of new smart home devices to Google Home every month. All told, Google Home usage increased 9X this holiday season over last year’s, as you controlled more smart devices, asked more questions, listened to more music, and tried out all the new things you can do with your Assistant on Google Home.
No matter where you are, the Google Assistant is here to help you make the most of 2018. And next week, we have even more things in store for the Assistant at the Consumer Electronics Show in Las Vegas. If you’re at CES, stop by the Google Assistant Playground (Central Plaza-21) to check out some of our new integrations, devices, and the newest ways you can use your Assistant.
Just before the holidays, the Cisco France team organized a three-day trip for us to assess progress on smart city projects underway, strengthen relationships with city leaders and ecosystem partners, and explore new opportunities. I wanted to share th…
This year at CES, Samsung showcases Relúmĭno glasses – smart visual aid eyeglasses to help people with vision challenges see images clearer when they are
For those of us in the tech and related industries, the start of each new year represents a period for our own personal moments of reflection, but also as