Tag Archives: Intel

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Facebooktwitterredditlinkedinmailby feather

Friday News

Intel will NOT be patching all of its flawed chips

After saying, for months, that it would release firmware updates to all chipsets produced in the last 5 years, Intel is now backtracking saying that it won’t produce patches for the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.  There were several reasons, number one being that it was too hard (read:impossible) given the architecture of those chips.  (Source: The Verge).

Microsoft Patch Tuesday Patches at Least 65 Vulnerabilities

From one perspective, given the breadth of Microsoft’s empire, releasing 65 SECURITY patches a month is not unreasonable.  On the other hand, given that they have been doing this for years, that is thousands of security flaws, which is a bit mind blowing.  This month’s patches affect Internet Explorer and Edge, Office, one more time, the Microsoft Malware Protection Engine, Visual Studio and Microsoft Azure.

A patch for the Malware Protection Engine (MPE) bug was release in an out-of-band patch last week because it affects all of Microsoft’s anti-malware products such as Windows Defender and Security Essentials.  This is at least 3 emergency patches to the MPE in recent months.

Corporate IT usually has patching handled, but when it comes to home users, things are a bit more spotty, so make sure that you install these patches (Source: Krebs On Security).

Identity thieves going after CPAs

If the IRS is warning tax preparers to “step up” their cybersecurity game, it must be bad. Brian Krebs details the story of a tax preparer who allowed his system to become compromised with a not very sophisticated keystroke logger.  The result was that his client’s data was hacked and false returns filed.  When the client’s real returns were rejected by the IRS, the CPA provided form letters to his clients to file with the IRS saying that they were the victim of identity theft but not saying that it was the accountant who was responsible.  No doubt the clients were left with the bill to client up their CPA’s mess on top of it all.

If you use a tax preparer, you should be asking questions about their cybersecurity practices and if he or she says not to worry, you should start worrying.  Or looking for a more astute CPA (Source: Brian Krebs).

Atlanta, Colorado spending millions after ransomware attack

Atlanta has spent over $2 million mitigating the ransomware attack which started on March 12.  The attackers asked for $50,000 which likely would have been covered by insurance.  The costs are for Secureworks, Ernst and Young and others.  If these costs are to upgrade inftrastructure, the insurance would not cover that.

The Colorado Department of Transportation (CDOT) has spent $1.5 million since their ransomware attack in February.  CDOT is still not fully operating yet.

Stories are that Atlanta’s IT was on life support due to lack of funding prior to the attack.  Assuming some of those millions are being spent on upgrading the infrastructure, maybe the attack has a silver lining.  (Source: SC Magazine).

Facebooktwitterredditlinkedinmailby feather

Is Turnabout Fair Play?

Tech Crunch is reporting that Intel told customers about the Meltdown and Spectre flaws before the public announcement, but they did not tell the U.S. Government about it.

Most of the time, it is the other way around.  The U.S. Government knows about a flaw but doesn’t tell the company who can do something about it.

One kind of strange twist to this is that, apparently, they did tell some Chinese customers, who likely did tell the Chinese government about it.

There certainly is no law that requires them to tell the U.S. Government about the flaw, ever.  Just like there is no law that requires the U.S. Government to tell Intel about any flaws that it knows about.

Still, it seems odd that they would opt to tell a Chinese company (likely a large OEM, maybe Lenovo?) and not tell Homeland Security.

They claimed that they were unable to tell everyone they planned to tell because the news leaked early.

Just to be clear – they knew about the problem since June.  They PLANNED to announce the bug on January 9th, but it was leaked on January 3rd.

This means that even if they did plan to tell the Feds about the “issue”, they didn’t plan to tell them in enough time to do anything about it.  Intel declined to say who they did tell about the bug or who they were planning to tell about it.

There is another part to this story, however.

There was a research paper published about this flaw in 1992.  That would be 26 years ago for those who are not good at math.  There was another paper on the subject around 1995. The NSA is VERY good at reading research and figuring out if they can exploit it.  That is what they are supposed to do and even though people like to complain about them, they are pretty damn good.  Maybe not perfect, but VERY, VERY good.

SO, an argument could be made, but not proven, that (a) the NSA and maybe other parts of the government knew about this flaw, (b) other governments, friendly and not so friendly knew about it and (c) some of them might have been selectively exploiting it.  For possibly, up to 25 years.  Even if the various governments who are likely to have known about it (Russia, China, Israel, U.S. and others) denied that they knew about it, would you believe them?  After all, lying is part of their business also.

For Intel, this is just more bad news to tarnish their reputation, although it doesn’t seem to be hurting their stock price at the moment.

Still, with AMD about to release their Ryzen Threadripper 2 later this year, which is supposed to be  much faster than the new Intel i9 at less than half the price, they don’t really need any more good news.

Who said there was no such thing as bad publicity?  That person might want to talk to Intel and see if they agree.

Information for this post came from Tech Crunch.

 

Facebooktwitterredditlinkedinmailby feather

Windows and Linux to Patch Major Intel Chip Flaw

UPDATE: Google’s Project Zero released information about the flaw and attacks as reports and speculation escalated (see here).  Reporters, including this one, are just learning the details of this.  An FAQ about the attack, which says that it affects Intel, AMD and ARM processors is available here.     It does, they say, affect every microprocessor made since 1995.

Microsoft released an emergency patch overnight and Amazon announced that they have completed patching all but a small number of machines, which will be patched in the next few hours.  Expect more announcements over the next days.

Keep in mind that attackers will have to figure out how to weaponize this, but applying this patch should be considered critical.

The big tech news of the day is that Microsoft and the Linux community are about to release major patches to both environments including all supported versions of both to cover a known problem in the Intel x-64 environment.  For Linux users, you will need to make sure that the particular distribution that you are running has the patch.  I assume but do not know that Microsoft will patch all supported operating systems back down to Windows 7.

Intel made some design decisions years ago to combine the operating system kernel and the user’s code into a combined environment to make it quicker to provide operating system services to user programs.

The details of the bug have been embargoed until the Windows and Linux patches have been released.  Apple released their MacOS patch (10.13.2) in mid December.  Still, reverse engineering betas of the Linux code is giving folks at least a partial idea of the problem.

Several years ago operating system vendors implemented a feature called address space layout randomization or ASLR, sometimes called KASLR for Kernel ASLR.  ASLR randomizes where operating system modules are placed in memory in order to make it harder for attackers to jump to places in the operating system to do their dirty work.

Unfortunately, it appears, the bug allows programs, from web browsers to databases to read the kernel memory.  IF it is possible for user programs to access the operating system kernel memory, they could find passwords, among other things.  They could also read the tables used for ASLR, effectively totally neutering that technology.

Given all this and possibly more, the patch becomes critical.

For enterprises and end users, installing these patches quickly is important because as of today, hackers are likely thinking about how to abuse your systems.

A couple of more things.

The question came up whether Intel could patch the microcode to fix this.  The answer, apparently, was no.  This was a fundamental design flaw.

Also, apparently, it required major effort on the part of Windows and Linux developers.  So much so that they were tempted to name it Forcefully Unmap Complete Kernel With Interrupt Trampolines. You can figure out what the acronym for that would be.

Oh yeah, there was a reason that Intel did things the way that they did – PERFORMANCE.  This performance change will cause a performance decrease of from 5% to 30% depending on the chip family.  This means that the patches have to be coded differently for different chip generations.  The performance hit will especially hit cloud providers like Google Compute Engine and Amazon EC2.

Finally, since this is a problem with Intel’s chip implementation, it does not affect servers with AMD processors in them.

I assume that Intel will fix this in the next generation of chips, but then we will have to add yet another hack to look to see if this is a new chip with the instructions implemented differently and code that again differently.  What a mess.  Shades of the Intel 486 Divide problem.  At least that could be fixed by updating the microcode in the chip.

This one is a big deal!

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather