Tag Archives: Spectre

Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Facebooktwitterredditlinkedinmailby feather

Meltdown and Spectre – The Next Chapter

Meltdown and Spectre, the twin vulnerabilities affecting Intel and many other processors, has been a moving target.  Patches followed by “unpatches” when those patches caused computers to reboot randomly.  Then there were the software patches that slowed down computers by from 5% to  30%.

The process of mitigating these vulnerabilities has been way more complicated than we usually see.  But there is hope.

So what can you do?  Here are some answers –

First a tool – a free tool – to see what patches have been installed.  Google (or any other search tool) “INSPECTRE”.  Look for the entry from Gibson Research Corp at GRC.Com – in Google it is usually the first entry.  Download it and it will tell you, in English, if you are vulnerable or protected.

For Meltdown, there is a simple Windows (and other OS) patch that vendors have released.  Install the patch, run Inspectre to test and you are safe from Meltdown.

Spectre is the bad boy.

The problem that Spectre exploits is a decision that Intel and others made two decades ago.  It isn’t so much a bug as a design decision that had unanticipated side effects.  What this means is that fixing it means fixing the firmware inside the chip itself.

There are several variants of Spectre, some worse than others.  Intel has released patches for almost all of their chips, but getting them to install them  is the challenge.  These patches to the chip usually require you to to get a very specific patch for your model of computer from the computer’s manufacturer.

But there is some good news. 

Intel just announced that they will be selling a new “generation” of the chip later this year with the firmware patch already in place.  It appears a bit confusing at this point because they are 8th generation chips, but 8th generation chips without the patch started shipping last year. But, they will be shipping new versions of the 8th generation processors (what they will be called is not clear) that come with patches already installed (see announcement here).

But more exciting is the fact that Microsoft has started releasing patches to fix the firmware inside the chips.  Turns out Windows has always been able to do this but due to the hundreds of chips that Intel has released, Microsoft rarely if ever releases a patch that uses this capability.  This is an exception.

Microsoft has released a fix, KB4090007, but there is a catch.  Of course.

First, the patch only works if you are running Windows 10 and only if you are running the Windows 10 Fall Creators Update.  I guess that is to entice you to upgrade.

Second, you have to go find the patch and download it.  It will NOT be coming to a Windows Update near you any time soon.

Finally, it only patches certain select chips  listed in the article behind the KB link above.  You need to know the chip model you are running.  Luckily, the newest version of Inspectre will tell you that information.  Then you can go to the knowledge base article linked above to see if your chip is one that Microsoft can patch.  If it is, manually download the patch and install it.  Once done, the Inspectre software should show that you are protected.

Microsoft is supposed to be adding more chips to the list over time and hopefully, will create a fix for Windows 8 and Windows 7, since both of these are supposedly still supported.  Just not yet.  Second class citizens.

Not simple and not complete, but it is progress.

Facebooktwitterredditlinkedinmailby feather

The Challenge of Meltdown and Spectre

The twins bugs of Meltdown and Spectre are a once in a career event for security pros.

Most bugs are found quickly – these have been around for 20+ years.

Most bugs affect one hardware platform like Intel or AMD or are not related to any specific hardware device.  Spectre affects every modern computing processor from the highest end Intel chip to the ARM chips powering all phones.

Most bugs affect one operating system such as Windows or iOS.  These bugs affect Windows, MacOS, Linux and other operating systems.

Finally, most bugs are relatively easily fixed once they are found.  Spectre requires, basically, new chip designs to truly fix them.

Worse yet, researchers wrote about these problems in 1992.  At the time people figured this was too  hard to exploit so no one would try.  We have already seen proof of concept exploits on the web.

In general, the Meltdown bug is fixable in software;  to completely fix Spectre requires changes to the hardware, but software changes will make exploiting Spectre more difficult.

I am pretty diligent about applying patches, so I figured I was protected at least against Meltdown and possibly against Spectre.

Today I installed InSpectre (available at  https://www.grc.com/inspectre.htm ) .  After running it, I received this message (note there is a lot of explanatory commentary when you scroll down):

I was pretty surprised.

I checked to see if I had any pending updates and I did not.  I looked at the updates that had been installed and the January cumulative update had not been installed, but I could not see any reason why.

I eventually did find a link to download it manually and was able to install it.  The install went perfectly and did not exhibit any of the negative symptoms (like a blue screen of death) that some users had experienced early on.

After installing the patch, I ran InSpectre again and got this message:

So I guess I am making progress, but it is not complete.

This free utility written by long time security industry expert Steve Gibson is free on his web site; you might want to see if you are really protected.  Or not.

 

Facebooktwitterredditlinkedinmailby feather

Is Turnabout Fair Play?

Tech Crunch is reporting that Intel told customers about the Meltdown and Spectre flaws before the public announcement, but they did not tell the U.S. Government about it.

Most of the time, it is the other way around.  The U.S. Government knows about a flaw but doesn’t tell the company who can do something about it.

One kind of strange twist to this is that, apparently, they did tell some Chinese customers, who likely did tell the Chinese government about it.

There certainly is no law that requires them to tell the U.S. Government about the flaw, ever.  Just like there is no law that requires the U.S. Government to tell Intel about any flaws that it knows about.

Still, it seems odd that they would opt to tell a Chinese company (likely a large OEM, maybe Lenovo?) and not tell Homeland Security.

They claimed that they were unable to tell everyone they planned to tell because the news leaked early.

Just to be clear – they knew about the problem since June.  They PLANNED to announce the bug on January 9th, but it was leaked on January 3rd.

This means that even if they did plan to tell the Feds about the “issue”, they didn’t plan to tell them in enough time to do anything about it.  Intel declined to say who they did tell about the bug or who they were planning to tell about it.

There is another part to this story, however.

There was a research paper published about this flaw in 1992.  That would be 26 years ago for those who are not good at math.  There was another paper on the subject around 1995. The NSA is VERY good at reading research and figuring out if they can exploit it.  That is what they are supposed to do and even though people like to complain about them, they are pretty damn good.  Maybe not perfect, but VERY, VERY good.

SO, an argument could be made, but not proven, that (a) the NSA and maybe other parts of the government knew about this flaw, (b) other governments, friendly and not so friendly knew about it and (c) some of them might have been selectively exploiting it.  For possibly, up to 25 years.  Even if the various governments who are likely to have known about it (Russia, China, Israel, U.S. and others) denied that they knew about it, would you believe them?  After all, lying is part of their business also.

For Intel, this is just more bad news to tarnish their reputation, although it doesn’t seem to be hurting their stock price at the moment.

Still, with AMD about to release their Ryzen Threadripper 2 later this year, which is supposed to be  much faster than the new Intel i9 at less than half the price, they don’t really need any more good news.

Who said there was no such thing as bad publicity?  That person might want to talk to Intel and see if they agree.

Information for this post came from Tech Crunch.

 

Facebooktwitterredditlinkedinmailby feather

Processor Security Flaw Keeps Morphing

Last week news was leaked of a problem with Intel processors built since 1995.  The problem – they could be hacked to possibly leak important stuff like all of your passwords.

It then came out that Microsoft and the Linux community were building patches and they would be released soon.

Apple said that they released a patch for the flaw in mid December.  Wait.  No.  Only for part of the flaw.  New patch now.

But the bug also impacts AMD processors – at least some of them.

And ARM processors, like on your cell phone.

Oh, yeah, today Apple released a patch for iPhones.

And now Microsoft is halting the distribution of the patch on computers that have AMD processors in them because AMD gave them bad technical specs and if you install the patch on one of those computers they turn into a really, really, expensive brick.

The good news is that people think this flaw, which has been around for 22 years (and likely already exploited by state sponsored hackers), is relatively hard to exploit .  Until some hacker posts sample code on the Internet.

The industry is not used to such an all encompassing problem.  I can’t recall this EVER happening in my career.  Cross chip and cross operating system – that is a once in a lifetime event.

Also, there are patches being released to applications like Safari and Firefox and many others.

There is no simple answer, but it is getting sorted out.  Give it a week, maybe two tops and I think it will settle down.  There are a LOT of moving parts here.

Information for this post came from Reuters and Betanews.

 

Facebooktwitterredditlinkedinmailby feather