Tag Archives: Speculative Execution

Security News for the Week Ending May 17, 2019

Be Thankful That You Are Not Equifax – Costs Reach $1.4 Billion So Far

Two years after the big breach, Equifax reported financials for the first quarter.   They reported a loss of $555.9 million compared to a net income of $90 million for the same period in 2018 on basically flat revenue.

Equifax had $125 million in cyber risk insurance with a $7.5 million retained liability.  The insurance has paid out the full amount.

So far, the company has accrued $1.35 Billion in data breach costs and this game is far from over.  The say it is not possible to estimate the full costs.  For more information, read the Bank Info Security article.

Boost Mobile Announces Breach – Two Months Ago

Boost mobile apparently got some customer data boosted.  Two months ago.  An undated letter to the California AG and an undated web page on Boost’s website says that the breach happened on March 14, 2019.  We don’t know what the bad guys took, how many customers were affected or even when people were notified.  The only thing we can guess is that since it hit the media today, the notifications were very recent.

If any of the people affected were in Colorado, the notifications came 15-30 days late.  There are probably other states for which the notification was late as well.  Stay tuned- we may see some AGs getting upset.  Source: Techcrunch.

Supply Chain Attacks Get Bigger and Badder

Last week it was WebPrism and 200 college bookstores.   This week it is Picreel, the analytics firm, Alpaca Forms (open source-so much for open source is more secure) and over 4,600 hacked websites.

The attack is still going on; the sites are still infected and the problem is only getting worse.  If you are loading third party code on your website, you need to rethink your security.  Source: ZDNet .

Intel Announces New Family of Speculative Execution Attacks

Intel seems to be challenged to catch a breach.  Err, a break.    After last year’s Spectre and Meltdown attacks comes this year’s ZombieLoad and Fallout attacks.  This is not a surprise – experts predicted more speculative execution attacks would be found.

Other than some new Intel 8th and 9th generation chips, all Intel chips made in the last decade are vulnerable, but ARM and AMD chips are not.  Some older chips will be patched while others, which are likely out of patch space on the chip, will never be fixed.

Apple, Intel, Microsoft and others have all released patches to mitigate these attacks on the chips for which there are fixes.  The attacks can be made either by planting malware on the device or remotely over the Internet.

The good news FOR THE MOMENT is the attack seems to be complex, so likely it will be used in targeted situations, but if used, everything on the device can be compromised including passwords and encryption keys.

Disabling Simultaneous Multi-Threading will significantly reduce the impact of this attack.

Source: Security Week.

For $600 A Hacker Could Confuse Any Commercial Plane’s Instrument Landing System

From a Cessna to a jumbo jet, every commercial plane built in the last 50 years uses a radio based system to guide it to land when it can’t see the runway – such as in rain or in fog.

These radios were not designed to be secure from hacking.

There is no encryption.  There is no authentication.  The system in the plane assumes that any radio signals that come from the ground are legit.

Unfortunately, for $600 a hacker can purchase a software defined radio that can tell the plane that it is off course.  A little high.  A little to the side.

In theory, if the pilot can see the runway, he or she will execute a “missed approach” and go around.  Given how busy the US airspace is, that decision may be at 50 feet off the ground – not a lot of time to react.

Probably, right now, this is an  unlikely attack.  Right now.  But remember, attacks never get less probable, only more probable as attackers figure out how to manipulate things.  Source: Ars Technica.

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)