Category Archives: Alert

Security alerts

Windows and Linux to Patch Major Intel Chip Flaw

UPDATE: Google’s Project Zero released information about the flaw and attacks as reports and speculation escalated (see here).  Reporters, including this one, are just learning the details of this.  An FAQ about the attack, which says that it affects Intel, AMD and ARM processors is available here.     It does, they say, affect every microprocessor made since 1995.

Microsoft released an emergency patch overnight and Amazon announced that they have completed patching all but a small number of machines, which will be patched in the next few hours.  Expect more announcements over the next days.

Keep in mind that attackers will have to figure out how to weaponize this, but applying this patch should be considered critical.

The big tech news of the day is that Microsoft and the Linux community are about to release major patches to both environments including all supported versions of both to cover a known problem in the Intel x-64 environment.  For Linux users, you will need to make sure that the particular distribution that you are running has the patch.  I assume but do not know that Microsoft will patch all supported operating systems back down to Windows 7.

Intel made some design decisions years ago to combine the operating system kernel and the user’s code into a combined environment to make it quicker to provide operating system services to user programs.

The details of the bug have been embargoed until the Windows and Linux patches have been released.  Apple released their MacOS patch (10.13.2) in mid December.  Still, reverse engineering betas of the Linux code is giving folks at least a partial idea of the problem.

Several years ago operating system vendors implemented a feature called address space layout randomization or ASLR, sometimes called KASLR for Kernel ASLR.  ASLR randomizes where operating system modules are placed in memory in order to make it harder for attackers to jump to places in the operating system to do their dirty work.

Unfortunately, it appears, the bug allows programs, from web browsers to databases to read the kernel memory.  IF it is possible for user programs to access the operating system kernel memory, they could find passwords, among other things.  They could also read the tables used for ASLR, effectively totally neutering that technology.

Given all this and possibly more, the patch becomes critical.

For enterprises and end users, installing these patches quickly is important because as of today, hackers are likely thinking about how to abuse your systems.

A couple of more things.

The question came up whether Intel could patch the microcode to fix this.  The answer, apparently, was no.  This was a fundamental design flaw.

Also, apparently, it required major effort on the part of Windows and Linux developers.  So much so that they were tempted to name it Forcefully Unmap Complete Kernel With Interrupt Trampolines. You can figure out what the acronym for that would be.

Oh yeah, there was a reason that Intel did things the way that they did – PERFORMANCE.  This performance change will cause a performance decrease of from 5% to 30% depending on the chip family.  This means that the patches have to be coded differently for different chip generations.  The performance hit will especially hit cloud providers like Google Compute Engine and Amazon EC2.

Finally, since this is a problem with Intel’s chip implementation, it does not affect servers with AMD processors in them.

I assume that Intel will fix this in the next generation of chips, but then we will have to add yet another hack to look to see if this is a new chip with the instructions implemented differently and code that again differently.  What a mess.  Shades of the Intel 486 Divide problem.  At least that could be fixed by updating the microcode in the chip.

This one is a big deal!

Information for this post came from The Register.

DHS and FBI Announce Threats to Energy and Critical Infrastructure

In what is an unusual move by the FBI and DHS, CERT released a security bulletin saying that attackers were going after government entities and critical infrastructure and had been doing so at least since May.

They said this is a multi-stage attack, going after low security and small networks and then moving inside those networks to attack other higher value assets.

Since at least May, the attackers have been going after critical targets like energy, water, aviation, nuclear and critical manufacturing.  In addition, they are also targeting government entities.

The attacks start by going after “staging targets” – possibly suppliers or other vendors with less secure networks and use those compromised networks to target the ultimate target.

Using the standard cyber kill chain attack model, there are five phases to the attack:

  1. Reconnaissance – gather information on the organization and potential weaknesses of, in this case, specific, targeted organizations.
  2. Weaponization – use spear phishing emails (in this case) get into the target’s organization
  3. Delivery – Once inside the organization, use the beach head they have created to create a persistent base for further attacks.
  4. Exploitation – Once the beach head is established, use the base to exploit the organization – such as stealing credentials.
  5. Installation – Now that the network is fully compromised, download additional tools to expand the attack and use that company to launch attacks against other companies.

The FBI admitted, with no details, that some of the attacks have been successful.  The fact that they are issuing a very public announcement as opposed to a much quieter memo, say via Infragard, says that (a) the attacks have been more successful than they might want to admit, (b) that the attacks are going after smaller, less sophisticated organizations that have less sophisticated defenses and (c) the attacks are ongoing.

This means that organizations need to be on higher alert than they might be otherwise.  To steal a term from the Department of Defense, if your organization was at Defcon 4 before (the second LOWEST level of alert), now might be a good time to go to Defcon 3 or 2 (the second highest level of alert).

The bulletin provides specific IOCs (indicators of compromise) for each target industry segment.

If you need assistance, please contact us.


Information for this post came from CERT.

Patching IoT Gets Out of Hand

In what may be the first of its kind event, the FDA recalled a pacemaker from St Jude, now owned by Abbott Labs.

Researchers discovered the flaws prior to Abbott’s acquisition of St. Jude and reported them to both the FDA and St. Jude.  Both decided to do nothing about it until the researchers went public.

In April of this year, the FDA put out a “warning” – also likely a first of it’s kind – that the devices which can be controlled remotely, were likely hackable and also had a battery problem that could cause it to go dead – possibly along with the patient  – before it was supposed to.  At that time Abbott said that they took security seriously and had fixed all the problems (see Fox Business).

Fast forward to this week and the FDA has now issued a recall of close to a half million of the supposedly fixed devices.

Since the devices are implanted inside people, the plan is NOT to perform a half million surgeries to remove them, but rather to go to their doctor to have the firmware in the device updated.

As I recall, one of the problems WAS this update capability.  The researchers were able, I think, to buy pacemaker programmers on eBay and reprogram any pacemaker from that manufacturer without authentication.    All they had to do is be in radio range of it.

Obviously, being able to reprogram the pacemaker (which has to be done in a facility that can control a patient’s heart rhythm while the pacemaker is being hacked.  Err, patched.  Err, upgraded) is a LOT safer than a half million surgeries, but still it is not without risk.

No clue what the cost of this little adventure will be, but it won’t be cheap.  Even if each doctor visit costs a hundred bucks – which is highly unlikely – that would still be a cost of $50 million.  If the cost is $500, then the total would likely be in the $250 to $500 million range when you add legal fees, fines and support costs.

One other interesting feature.  The researchers approached St. Jude about paying them a bug bounty, which is common in the tech world, and they decided not to.  Instead, the researchers approached Muddy Waters Capital, who sold the stock short, then announced the vulnerabilities.  When the stock price went down, which it did, Muddy Waters covered their short sell and made out very nicely.  Muddy Waters and the researchers had a deal to do some sort of split of the profits.  There were some people who that was a bit too capitalistic, but, it is not illegal.  Maybe next time, they will work with the researchers when they approach them.

Information for this post came from The Guardian.

The Insider Threat Cost One Mortgage Company $25 Million

This case of intrigue may seem like it belongs in a spy novel, but in this case, it is winding up in the Board Room and the court room.

Here is the story.  Chicago based Guaranteed Rate courted the employee of a much smaller rival mortgage company, Benjamin Anderson.  While still employed at the smaller company, Mount Olympus Mortgage, Anderson signed an employment contract with Guarantee Rate.  While an employee  considering moving to a new job wants assurances that if he or she quits his or her current job, there will be a job waiting at the new company, this is usually done via written offer letter, not a signed employment agreement.  Once he signed the agreement he was, in fact, working for two competing mortgage companies at the same time.

While this may be unethical – and possibly a violation of his contract with Mount Olympus – it may not be illegal.  What happened next, however, was illegal.

Over a period of weeks, Anderson downloaded and transferred loan files – hundreds of them – to his new employer.  Anderson’s new contract with Guaranteed Rate paid him a much higher commission during his first few months, encouraging him to close as many loans as possible during that time-frame.  Some of those loans closed before he even left Mount Olympus.

Eventually, Mount Olympus discovered what he was doing and sent cease and desist letters and then, ultimately, filed a lawsuit.  It is certainly possible that if Anderson had been less greedy and only transferred tens of loans, he might not have ever gotten caught.

Even though Mount Olympus was small, they were able to detect what was happening.  One way to detect this would be when they contacted a borrower and the borrower said that they were no longer working with that company.

The judgement, with a total value of around $25 million includes $13 million in punitive damages, $5.6 million in lost profits and $4.6 million in lost business value.  For a company as big as Guaranteed Rate, who funded $18 billion in loans last year, this is a blip, but for smaller companies this could be a death sentence.

There are several messages in this verdict –

First, if you are luring an employee away from a competitor, make sure that they are not working for both you and the competitor at the same time.  One strike against Guaranteed Rate.

Second, make sure that compensation is not structured to encourage a new employee to steal intellectual property from the employee’s former company.  Strike two against Guaranteed Rate.

Third, make sure that employees understand that bringing their former employer’s (stolen) intellectual property with them will not be tolerated and will be grounds for immediate dismissal.  This has to be a policy with teeth.  As Uber is learning right now in a lawsuit they are fighting, saying one thing but winking that they don’t mean it will land you in court.  Strike three and $25 million later…

Finally, for all companies, the ability to deter and detect the insider threat scenario is critical.  The theft of intellectual property can ruin a company.  Failing that, it can cost large legal fees on both sides and in some cases multi-million dollar judgments.

In this case it was likely easy to detect the theft, but in many cases you don’t have the obvious smoking gun, which means that logging and alerting becomes much more important.

Unfortunately, it is likely more common than you might guess that employees take at least some intellectual property with them when they leave an employer.  Strong policies and good insider threat detection can slow that theft down.

Information for this post came from the Chicago Tribune.

Russian Hackers Attacking Hotel WiFi Again

The security firm FireEye has said that they have moderate confidence that a campaign targeting hotels in Europe are the work of the Russian hacking group APT28.

One way the attack works is to send a phishing email to hotel staff with an infected Word document with a name related to a hotel reservation form.  If a user opens the attachment and runs the embedded macro, the hacker owns the hotel network.

At that point, it tries to move around the hotel network using several techniques – even using the NSA hacking tool EternalBlue that was at the center of the WannaCry attack recently.

What it is looking for is the computers controlling WiFi for hotel guests and staff.

While FireEye didn’t see guest credentials being stolen in this attack, they did see that in an attack from last year.

The hackers listen for guest’s or staff’s computers attempting to connect to network shares.  If it sees that, the hackers respond like they were those shares and once that happens, the target’s computer sends it’s credentials in order to access those spoofed shared drives.  At that point they have the user’s userid and hashed password, which they can take home and crack offline.

This is only an indication that hacker groups from around the world are using exploits learned over time to create better attack mechanisms and WiFi, especially business travelers using hotel WiFi,  is a very juicy target.

From a hotel guest standpoint, here are several suggestions:

  1. If you can avoid it, do not use hotel WiFi.  It is even more risky than using WiFi at your local Starbucks and you know what I think about doing that.
  2. If you must have Internet access, use your phone as WiFi hotspot if it allows it.  At least that way you won’t be infected by a compromised hotel WiFi server.
  3. Use a portable WiFi “Puck”.  All of the carriers sell them and if the use is intermittent, a prepaid plan may be less expensive.
  4. Use a WiFi bridge.  This portable device does exactly what it says.  You connect your phone or laptop to the bridge and then the bridge connects to the hotel WiFi.  Since the bridge does not run a standard operating system with all of it’s potential vulnerabilities, it will be very difficult to infect the bridge with standard Windows or Linux exploits.  These are available on Amazon for less than $50.
  5. Use a portable WiFi firewall like the Tiny Hardware Firewall.  This is the most complex and expensive solution at around $100, but also the most flexible.  It will support a VPN and also a TOR connection if you choose to go that route.

Bottom line – anything other than hotel WiFi.

While this particular attack is new (starting in July) and has not YET been seen in the United States, that is likely only a matter of time.  Being prepared for what is sure to come seems like a good plan.

Information for this post came from  KnowBe4.

Don’t Turn on WiFi on Your Phone Until You Patch it

An interesting vulnerability was just announced that affects both Apple and Google/Android phones.  That is something that is very unusual.

The bug is tied to a part of all cell phones called the baseband processor.  It is the part of the phone that controls the radios inside your phone.  In this case, the chip is the Broadcom 43xx family of chips.  According to Broadcom this chip can control your cellular radio, WiFi, Bluetooth and FM radio all on one chip.

Unfortunately, researchers found a bug in the WiFi code that would allow an attacker to take over the baseband processor and from there, the entire phone.

The reason this affects both Apple and Android phones is that this chip is used by almost everyone.  From iPhone 5s to the newest Android phones, they are all impacted.

Apple just released iOS 10.3.3 (which may or may not have been downloaded to your iPhone yet) and Google just released an Android patch in the July updates.  Unlike Apple devices, Android users have to wait for manufacturers to pick up Google’s fixes and test them and then wait again for carriers to make them available.  The only users who do not have to wait are Google branded Android phone users.  Those users get their patches directly from Google.

What can you do?

Three answers.

If you are an Apple user, download iOS 10.3.3 and install it.  Done!

If you are a user who is running a relatively new version of the Android OS on your phone AND your phone manufacturer/carrier is actively releasing updates, you should install the July update as soon as it is available.  That might be 30 days or more.

If you are running an older version of the Android OS and/or your carrier/phone vendor is not releasing security updates, you are kind of out of luck.  Turn off your WiFi and DO NOT TURN IT ON EVER AGAIN.  This is probably. for most people, time to get a new phone.

Why, you say, am I so aggressive about this?

The report is that you only have to be within radio range of the WiFi access point which is trying to attack you in order to be compromised.  You DO NOT need to connect to that access point.  You do not need to open a web browser.  You do not need to install an app.  You do not need to click on a link.  All you need to do is be near a rogue WiFi access point – which could easily be hidden in someone’s backpack.

So, for now, until you have installed the patch, if you can, leave WiFi off.  If you can’t, then only turn it on when you have to.

We will know more after the researcher presents his findings at Blackhat later this month, but at least from what we have heard, this don’t not affect Windows or Mac computers, only mobile devices. But, stay tuned;  this is not the end of the story.

Information for this post came from Threatpost.