Tag Archives: Meltdown

Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Friday News


Atlanta, GA is the most recent city to get hit by a ransomware attack – on Thursday, March 22.  Cities seem to be a hot target, likely because they are big, public and behind the private sector when it comes to IT and cyber security (One of Atlanta’s Councilman said “As daunting as the city of Atlanta’s apparatus may seem, we’re still limited by the amount of resources we have to defend our systems,”.   Atlanta’s mayor “compared the city’s network to a decade-old pickup she drove until it was wrecked”.).   Atlanta’s mayor said to expect a “massive inconvenience”.  The attacker is asking for $50,000 and they are considering it.  One piece of good news:  the city does have cyber insurance, so the taxpayers won’t be footing the entire bill to put Humpty-Dumpty back together again.

The local CBS affiliate said that the city was warned months ago that IT was in critical condition on life support, but doesn’t have the resources to recover.  (Source: Atlanta Journal Constitution).


After FOUR YEARS and TWENTY EIGHT drafts, the Internet Engineering Task Force, the group of geeks that control the Internet’s protocols, have approved TLS 1.3.  While to the average user, that doesn’t mean anything, to the geeks in the room it means that HTTPS will be a little bit more secure – a lot bit more secure than some HTTPS traffic – and a little bit faster.  While it will take some time for traffic to move to this new version, it will and it will likely do it faster than the move to 1.2 was.  An effort to build in a back door to security for the convenience of network managers – and also spies and hackers – was beat down and not added to the spec.  Score one for you and me.  (Source: The Register).

The New York Times is reporting that the FBI is working with a team of security experts to attempt to craft a back door to encryption on mobile devices – the so called going dark problem.  The team, headed up by a professor at MIT, is testing out different possibilities, although the FBI says that it is not ready to ask Congress for legislation.  Yet.  At least, this time, they are working with security experts, which likely would yield a better solution than anything that politicians invent.  Still, there are problems.  First, is it really possible to keep a back door secret?  Can they get Congress, over the massive distrust on all sides of the conversation, to agree to such a law?  How do they get application developers, based in foreign countries and maybe even hosted in foreign countries, to agree to such an intrusion?  Lots of questions, not very many answers.  (Source: New York Times).


Microsoft’s Meltdown patch for Windows 7 64-bit and Windows Server 2008 R2 left critical kernel tables readable by anyone means that malware could read any memory, make themselves an administrator and modify the operating system’s memory map.  The good news is that it does not affect Windows 8 or 10 and has been fixed in the March Windows update release.  (Source: The Register).


I have written before that DHS won’t finish with all of the audit requests from states regarding voting process security until this summer, leaving no time to actually fix any problems.   Now, the Brennan Center for Justice at NYU has released an updated version of their 2015 report on voting machine security.  Only 41 states now use  voting systems at least a decade out of date.  That is kind of like if you were still using an iPhone 3G – one that likely has not been patched in 5 or more years.  That is down from 44 states being in that position in 2015.  They also talk about all the other phases of the voting process, from registering voters to election night tallys, that are likely easier to compromise.  It all boils down to money and time, something the states and cities do not have available and which the feds do not think is important enough to fund.  (Source: GovCyberInsider).

Meltdown and Spectre – The Next Chapter

Meltdown and Spectre, the twin vulnerabilities affecting Intel and many other processors, has been a moving target.  Patches followed by “unpatches” when those patches caused computers to reboot randomly.  Then there were the software patches that slowed down computers by from 5% to  30%.

The process of mitigating these vulnerabilities has been way more complicated than we usually see.  But there is hope.

So what can you do?  Here are some answers –

First a tool – a free tool – to see what patches have been installed.  Google (or any other search tool) “INSPECTRE”.  Look for the entry from Gibson Research Corp at GRC.Com – in Google it is usually the first entry.  Download it and it will tell you, in English, if you are vulnerable or protected.

For Meltdown, there is a simple Windows (and other OS) patch that vendors have released.  Install the patch, run Inspectre to test and you are safe from Meltdown.

Spectre is the bad boy.

The problem that Spectre exploits is a decision that Intel and others made two decades ago.  It isn’t so much a bug as a design decision that had unanticipated side effects.  What this means is that fixing it means fixing the firmware inside the chip itself.

There are several variants of Spectre, some worse than others.  Intel has released patches for almost all of their chips, but getting them to install them  is the challenge.  These patches to the chip usually require you to to get a very specific patch for your model of computer from the computer’s manufacturer.

But there is some good news. 

Intel just announced that they will be selling a new “generation” of the chip later this year with the firmware patch already in place.  It appears a bit confusing at this point because they are 8th generation chips, but 8th generation chips without the patch started shipping last year. But, they will be shipping new versions of the 8th generation processors (what they will be called is not clear) that come with patches already installed (see announcement here).

But more exciting is the fact that Microsoft has started releasing patches to fix the firmware inside the chips.  Turns out Windows has always been able to do this but due to the hundreds of chips that Intel has released, Microsoft rarely if ever releases a patch that uses this capability.  This is an exception.

Microsoft has released a fix, KB4090007, but there is a catch.  Of course.

First, the patch only works if you are running Windows 10 and only if you are running the Windows 10 Fall Creators Update.  I guess that is to entice you to upgrade.

Second, you have to go find the patch and download it.  It will NOT be coming to a Windows Update near you any time soon.

Finally, it only patches certain select chips  listed in the article behind the KB link above.  You need to know the chip model you are running.  Luckily, the newest version of Inspectre will tell you that information.  Then you can go to the knowledge base article linked above to see if your chip is one that Microsoft can patch.  If it is, manually download the patch and install it.  Once done, the Inspectre software should show that you are protected.

Microsoft is supposed to be adding more chips to the list over time and hopefully, will create a fix for Windows 8 and Windows 7, since both of these are supposedly still supported.  Just not yet.  Second class citizens.

Not simple and not complete, but it is progress.

The Challenge of Meltdown and Spectre

The twins bugs of Meltdown and Spectre are a once in a career event for security pros.

Most bugs are found quickly – these have been around for 20+ years.

Most bugs affect one hardware platform like Intel or AMD or are not related to any specific hardware device.  Spectre affects every modern computing processor from the highest end Intel chip to the ARM chips powering all phones.

Most bugs affect one operating system such as Windows or iOS.  These bugs affect Windows, MacOS, Linux and other operating systems.

Finally, most bugs are relatively easily fixed once they are found.  Spectre requires, basically, new chip designs to truly fix them.

Worse yet, researchers wrote about these problems in 1992.  At the time people figured this was too  hard to exploit so no one would try.  We have already seen proof of concept exploits on the web.

In general, the Meltdown bug is fixable in software;  to completely fix Spectre requires changes to the hardware, but software changes will make exploiting Spectre more difficult.

I am pretty diligent about applying patches, so I figured I was protected at least against Meltdown and possibly against Spectre.

Today I installed InSpectre (available at  https://www.grc.com/inspectre.htm ) .  After running it, I received this message (note there is a lot of explanatory commentary when you scroll down):

I was pretty surprised.

I checked to see if I had any pending updates and I did not.  I looked at the updates that had been installed and the January cumulative update had not been installed, but I could not see any reason why.

I eventually did find a link to download it manually and was able to install it.  The install went perfectly and did not exhibit any of the negative symptoms (like a blue screen of death) that some users had experienced early on.

After installing the patch, I ran InSpectre again and got this message:

So I guess I am making progress, but it is not complete.

This free utility written by long time security industry expert Steve Gibson is free on his web site; you might want to see if you are really protected.  Or not.


Is Turnabout Fair Play?

Tech Crunch is reporting that Intel told customers about the Meltdown and Spectre flaws before the public announcement, but they did not tell the U.S. Government about it.

Most of the time, it is the other way around.  The U.S. Government knows about a flaw but doesn’t tell the company who can do something about it.

One kind of strange twist to this is that, apparently, they did tell some Chinese customers, who likely did tell the Chinese government about it.

There certainly is no law that requires them to tell the U.S. Government about the flaw, ever.  Just like there is no law that requires the U.S. Government to tell Intel about any flaws that it knows about.

Still, it seems odd that they would opt to tell a Chinese company (likely a large OEM, maybe Lenovo?) and not tell Homeland Security.

They claimed that they were unable to tell everyone they planned to tell because the news leaked early.

Just to be clear – they knew about the problem since June.  They PLANNED to announce the bug on January 9th, but it was leaked on January 3rd.

This means that even if they did plan to tell the Feds about the “issue”, they didn’t plan to tell them in enough time to do anything about it.  Intel declined to say who they did tell about the bug or who they were planning to tell about it.

There is another part to this story, however.

There was a research paper published about this flaw in 1992.  That would be 26 years ago for those who are not good at math.  There was another paper on the subject around 1995. The NSA is VERY good at reading research and figuring out if they can exploit it.  That is what they are supposed to do and even though people like to complain about them, they are pretty damn good.  Maybe not perfect, but VERY, VERY good.

SO, an argument could be made, but not proven, that (a) the NSA and maybe other parts of the government knew about this flaw, (b) other governments, friendly and not so friendly knew about it and (c) some of them might have been selectively exploiting it.  For possibly, up to 25 years.  Even if the various governments who are likely to have known about it (Russia, China, Israel, U.S. and others) denied that they knew about it, would you believe them?  After all, lying is part of their business also.

For Intel, this is just more bad news to tarnish their reputation, although it doesn’t seem to be hurting their stock price at the moment.

Still, with AMD about to release their Ryzen Threadripper 2 later this year, which is supposed to be  much faster than the new Intel i9 at less than half the price, they don’t really need any more good news.

Who said there was no such thing as bad publicity?  That person might want to talk to Intel and see if they agree.

Information for this post came from Tech Crunch.


Processor Security Flaw Keeps Morphing

Last week news was leaked of a problem with Intel processors built since 1995.  The problem – they could be hacked to possibly leak important stuff like all of your passwords.

It then came out that Microsoft and the Linux community were building patches and they would be released soon.

Apple said that they released a patch for the flaw in mid December.  Wait.  No.  Only for part of the flaw.  New patch now.

But the bug also impacts AMD processors – at least some of them.

And ARM processors, like on your cell phone.

Oh, yeah, today Apple released a patch for iPhones.

And now Microsoft is halting the distribution of the patch on computers that have AMD processors in them because AMD gave them bad technical specs and if you install the patch on one of those computers they turn into a really, really, expensive brick.

The good news is that people think this flaw, which has been around for 22 years (and likely already exploited by state sponsored hackers), is relatively hard to exploit .  Until some hacker posts sample code on the Internet.

The industry is not used to such an all encompassing problem.  I can’t recall this EVER happening in my career.  Cross chip and cross operating system – that is a once in a lifetime event.

Also, there are patches being released to applications like Safari and Firefox and many others.

There is no simple answer, but it is getting sorted out.  Give it a week, maybe two tops and I think it will settle down.  There are a LOT of moving parts here.

Information for this post came from Reuters and Betanews.