8 new Spectre-Class Vulnerabilities
Researchers have reportedly found *8* new Spectre-class vulnerabilties. Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet. The entire set is being referred to as Spectre Next Generation or Spectre-NG. At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.
Supposedly Intel is planning on releasing some patches this month and some more in August. Until then and until we get more information, it is a bit of a black hole.
As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not. That is likely the case here.
We also saw that it was hard to exploit the old Spectre vulnerabilities. Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit. Combine that with the suspicion that some chips may not be fixable …. not good.
It is rumored that at least some of these flaws affect ARM chips as well; it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.
Ultimately, this should have been expected. As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks. Now those risks are coming back to haunt them (Source: The Hacker News).
The General Data Protection Regulation (GDPR)
The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.
The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me. Check out Facebook or Google if you have any questions about that.
Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.
The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe Harbor, was shot down by the EU’s High Court. Privacy Shield is now in front of the High Court and no one knows what that outcome will be.
With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant. Not sure that is a great strategy, but maybe. That strategy is especially suspect if more countries adopt EU-like laws. If they do then companies that are not compliant may be limited to being visible in the United States. That also means reduced business opportunities for those companies.
Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook. Stay tuned for the outcome of those complaints. Like the Chinese proverb says: may you live in interesting times. This qualifies (Source: Reuters).
Vermont Data Broker Regulation Now In Effect
Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person. They know that you bought some particular medicine last week and infer what the disease it. That isn’t covered under HIPAA because, they have not talked to your doctor. They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.
Well as of last week, Vermont has become the first state in the country to regulate data brokers. Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.
Now they will have to meet security requirements, control access to the data, and, report breaches. And, using their data for fraud is now a crime on its own. Will other states follow? Who knows; stay tuned (Source: Tech Crunch).
Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software
From the title of this item, you can probably figure out where I stand on the Blockchain mania.
Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes. Ultimately, potentially, completely compromising the integrity of the blockchain.
Other than that, it is perfect.
This is not a flaw in the cryptography. Only a flaw in the software. Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China. In this case, they can.
So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.
It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers. The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.
Oxnard Investigating Data Breach
The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill. The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards. The breach started on Saturday and lasted until Tuesday. As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).
One year ago, in May 2017, the President signed an Executive Order on cyber security . One year later we have the results of that EO. The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help. I feel more secure already (/End Sarcasm). Only 25 agencies were found to be effectively managing risk.
Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.
Only 40% of the agencies participating were able to see if their data was being stolen.
After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones. That is the hard part, that is what is required and that is what is missing. Another agency kills a few more trees and likely nothing changes. We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly). Unfortunately for you and me.