Meltdown and Spectre. (Speed at the price of insecurity?)
Three vulnerabilities in processor chips were publicly disclosed this week (New York Times). One is "Meltdown;" the other two are referred to as "Spectre." They could enable side channel attacks in affected systems. According to Google, whose Project Zero played a prominent role in the research and disclosure, the issues are rooted in speculative execution, which enables the threading that lends processes the smooth speed users expect. Meltdown (CVE-2017-5754) permits ordinary applications to evade security boundaries usually enforced at chip level and access kernel memory. This vulnerability was first reported in Intel chips. Spectre (CVE-2017-5753 and CVE-2017-5715) is the more widespread and potentially dangerous of the two. It enables an attacker to bypass isolation among different applications (Bleeping Computer).
The bugs came to full public attention this week (New York Times). Google had quietly disclosed them to affected vendors some months ago, but working on fixes inevitably involved bringing in a large number of developers in a number of companies, and that inevitably meant that the news was leaking out. A growing conviction that leaks couldn't be contained apparently prompted public disclosure. It also explains the quick if still incomplete preparation of the fixes we saw this week (SANS Internet Storm Center).
Initial reports this week said only Intel chips were affected, but Intel objects to being singled out, and says its products remain the most secure available (CRN). Some competing manufacturers initially said their processors were unaffected, but their optimism was unfounded: most recent processors share the Spectre vulnerabilities, which have been identified in ARM and AMD chips as well (Silicon Valley Business Journal).
Many experts advise that patched devices will run noticeably more slowly. Cloud users should experience similar slowdowns as cloud vendors mitigate the risk of exploitation (CRN). One point worth noting is that there are a lot of ARM chips in Internet-of-things devices. If those are susceptible to Spectre, as they seem to be, that means there will be a lot of small, scattered, difficult-to-the-point-of-impossibility-to-patch IoT devices out there.
There's no doubt that the bugs can be exploited. Mozilla has independently confirmed that both Spectre and Meltdown can be used via JavaScript to extract information from a CPU when the user visits a malicious website. So it turns out that both Spectre and Meltdown can indeed be exploited remotely by malicious code embedded in ordinary JavaScript files. The attention being paid to exploitation through the browser is no accident. If the bugs are to be remotely exploited, it's likely that attackers will do so in the ways Mozilla has outlined. It remains to be seen whether any exploitation that develops will be broadly executed or highly targeted, scattergun or rifle shot (Bleeping Computer).
Mitgating the risk of Meltdown and Spectre.
US-CERT at first decided Spectre was too tough to deal with and recommended replacement of affected CPUs. But industry decided that's impractical, and seems determined to continue patches and mitigations (Threatpost, Ars Technica). US-CERT has since quietly retreated from its initial recommendation (Business Insider).
Intel has begun rolling out fixes for the vulnerabilities (Help Net Security). Some of those mitigations are reported to have noticeably slowed Amazon Web Service EC2 servers (Computing).
Mozilla has issued an interim mitigation that involves a work around. Since the side-channel attacks Spectre and Meltdown enable depend upon precise timing, they've reduced the precision of Firefox's internal timer. A full fix will be out with the next edition of Firefox (Bleeping Computer).
Microsoft has been out quickly with patches for both Edge and Internet Explorer. These appeared Wednesday as an out-of-band update for Windows. Early patchers report that the Windows 10 update in particular didn't play well with a number of anti-virus products (Register).
Google is getting ready to address the bugs in Chrome 64, expected to be out on January 23rd, but in the meantime the company points out that users can protect themselves by enabling a new security feature that was incorporated into Chrome 63. That feature is "Strict Site Isolation" (Google Help). You'll find that it calls itself "highly experimental," but Google encourages you to put Strict Site Isolation in place.
Apple systems had earlier been reported as immune to the bugs, but Apple has been quick to correct this misapprehension: all of their products, whether iOS or MacOS, are also at risk. Cupertino has issued some mitigations already, and others are promised soon (Reuters).
Iran and the Internet.
Iran has been in throes of growing unrest since Thursday, December 28th, 2017. Dissatisfaction has centered on alleged corruption and the economic hardships protesters see it as having produced. Current, growing unrest in Iran seems driven significantly by Instagram and (especially) the secure messaging app Telegram. The troubles began with street protests and some rioting (Tasnim). Authorities in the Islamic Republic are cracking down on Internet use generally and on Telegram channels in particular. The country's Information and Communictions Technology Minister, Mohammad-Javad Azari Jahromi, preceded the shutdown with a direct tweet at Telegram's founder Pavel Durov. His tweet read: "A Telegram channel is encouraging hateful conduct, use of Molotov cocktails, armed uprising, and social unrest. NOW is the time to stop such encouragements via Telegram."
The channel in question is run by exiled dissident journalist Roohallah Zam, who denies fomenting violence, but who has published images of disturbances and planned times for demonstrations. Among the chants reported to have been heard were these: "We Will Die to Get Iran Back," "Not Gaza, Not Lebanon, My Life Only for Iran," "Let Syria Be, Do Something for Me," and even "Reza Shah, Bless Your Soul," in remembrance of the late Shah deposed in the revolution of 1979 (Commentary).
But the nation's leadership is showing signs of hesitancy, with President Hassan Rouhani acknowledging that some allegations of corruption may have at least a partial point even as he promises to punish those damaging property and defaming the Islamic Republic.
The head of Iran's Passive Defense Organization, Brigadier General Gholamreza Jalali on December 31st spoke about the country's cyber defenses as being its guarantor of "security and independence" against US aggression (Mehr News), but Iran's capabilities seem likelier to be used domestically, at least in the near term. The Deputy Chief of Staff of the Armed Forces, Brigadier General Jazayeri on Tuesday agreed: Iran is under attack in cyberspace, the enemies' weapon is information, the danger is that minds might be changed (Mehr News).
The Infy threat group, generally held to be an Iranian government operation, targets individuals, especially foreigners, believed to represent a political threat to the regime. Infy specializes in spearphishing (Infosecurity Magazine).
Those who recall the "Green" protests after the disputed 2009 elections will remember the role Twitter played in sustaining dissent, a false dawn of hope for both Iranian reform and positive grassroots social media interactions. Reports suggest that some thirteen people have been killed in the disturbances so far.
As the US prepares more punitive sanctions against Iran's Republican Guard (Times), there have been calls for Western governments to use the occasion of unrest to change Iran into a more tractable international actor (Times). Strong words out of Washington have met with more approval internationally than one might have expected (Washington Post).
The challenge of content moderation.
Content moderation remains as difficult in London, Paris, and San Francisco as it does in Tehran. In the US, concerns are to a great extent about "fake news." Studies suggest that Facebook has been the most significant conduit of online hooey (PC Magazine). Facebook, which has tried a number of approaches to the issue, has concluded that flagging stories as fake not only doesn't help, but actually makes things worse, so the company will instead work on providing more "context" to help readers sort out what is from what isn't (Naked Security). This continuing effort will involve a great deal of human labor (Motherboard).
French President Macron has proposed a law to regulate des fausses nouvelles, which he characterized in his annual speech to the press as a threat to democracy (Atlantic).
Free and frank discussions...
Boris Johnson, the UK's Secretary of State for Foreign and Commonwealth Affairs, said in meetings with his Russian counterparts that Britain wanted no more of Moscow's nonsense in cyberspace, and that the UK was ready and able to reply in kind, should that become necessary (Computing). Concerns about the possibility of attacks on infrastructure have recently circulated in the UK, with the prospect of tapping or disruption of undersea cables prominently figuring among such worries. Fussing about the cables seems perhaps overheated (WIRED). In any case cables have been tapped or cut since the First World War, so this particular risk is at least a hundred years old (University of Leeds).
Concerns about damaging attacks on critical infrastructure are not confined to the UK, but are widely shared. A number of industry and government labs are working to identify weak points and render systems more resilient (BBC). As they do so they are being reminded that securing control and safety systems are bit of different game from securing information technology (Control Global).
From Ukraine come assertions designed to make Western flesh creep. Oleksii Yasinsky of Kyiv-based cyber security firm ISSP says that his country has become a "training ground" where Russian operators "hone technologies, mastery and attack techniques" for bigger operations against European and North American targets. Yasinsky forecasts "a quiet attack" (SC Magazine).
How could anti-virus software be converted to a surveillance tool?
The suspicions surrounding Kaspersky Lab's security software that led to its banning from US Federal Government systems centered on that software's extensive inspection of the systems it protects. Digita Security's Chief Research Officer, Patrick Wardle, ran a test with Kaspersky software to see whether the extensive inspection, quarantining, and reporting of files could be adapted in ways that an intelligence service might find useful. He did so by marking a section of Winnie the Pooh with classification markers, and sure enough, found that the software noticed and quarantined a file showing Winnie and Piglet seated on a bench. In itself this of course doesn't show that there was a direct pipeline from Langley to the Lubyanka, but it does, as Wardle put it, "confirm that an antivirus product can be trivially, yet surreptitiously, used to detect classified documents" (New York Times). This adaptability isn't confined to Kaspersky products (PC Magazine).
Aadhaar database breached.
Or "pwned" is more like it, if reports hold up. India's Aadhaar national biometric identification database has apparently been breached again, with access to its data for sale on the Dark Web for under $10 (Tribune). Aadhaar has had its security issues before (Quint), but this latest appears close to a complete compromise, affecting pretty much everyone in the country. Several experts have noted that losing biometric data can be a serious matter indeed. In this case it seems other personally identifiable information, not necessarily the biometric data themselves, may have been lost. The Indian government clearly has its security work cut out for it over the next several months at least. The government has denied that the compromise occurred (TechSpot). On the other hand, the Aadhaar portal was down late in the week for reasons that are unclear (Quint).
Crime and punishment.
In a tragic and deeply repellent incident, a Wichita man was killed by police in a swatting that arose from an unusually pointless (even by the low standards of online gaming) dispute among Call of Duty players. The victim, a young father of two, was not only innocent, but completely uninvolved (Ars Technica). The alleged swatter has been arrested in Los Angeles (Ars Technica). Critics (and the bereaved) have been calling the now-suspended police officer who shot the man culpably reckless, but whoever made the very long call that prompted the raid did everything he could to make the situation seem dangerous and desperate (KrebsOnSecuity).
Former NSA contractor Hal Martin is said to have indicated his willingness to plead to a single count of taking a classified document home with him. The single charge carries a maximum possible penalty of ten years imprisonment (Reuters). Federal prosecutors, who say investigators picked up 50 terbytes of classified information at Mr. Martin's Glen Burnie residence, seem unlikely to let things ride with that, and no plea agreement seems to have been reached. No one seems to know why Mr. Martin took stuff home with him—if the Government knows, it's not saying. Mr. Martin's attorney has said that Mr. Martin took home things to study so he could get better at his job, and then taking things home became an obsession. The document Mr. Martin indicated his willingness to admit taking was a 2014 chart of a proposed NSA reorganization (Baltimore Sun). An org chart, it seems, would be a very obscure object of desire, still less obsession.
Patches and updates.
The Opera browser has been made more resistant to cryptocurrency miners (Hot for Security).
VMWare has patched three "critical" vulnerabilities in its vSphere Data Protection (VDP), the backup and recovery solution associated with the vSphere platform (Threatpost).
Patching takes time, we see again: there's no simple set-it-and-forget-it (Infosecurity Magazine).
We discussed above the patches and mitigations for Spectre and Meltdown that were distributed this week. Microsoft's out-of-band patch is not thought likely to replace Patch Tuesday, set for the 9th (Help Net Security). We heard from Ivanti's Chris Goettl, who expects a Cumulative Rollup for pre-Win 10 systems and the rest of a normal Patch Tuesday from Redmond next week.
Industry notes.
On Wednesday Barracuda Networks announced its acquisition of PhishLine, a provider of SaaS social engineering simulation and training (Barracuda).
McAfee has completed its acquisition of Skyhigh Networks (New Brunswick Herald). Temprano Techvestors’ Network Security Group Inc. has bought the purchase of Waytek Software for an undisclosed amount. Waytek is a security software distribution and resale shop (Charlotte Business Journal). KPMG has acquired the identity business of Cyberinc (Mergers & Acquisitions).
NuCypher, a California company specializing in bringing private data to public blockchains, has raised $4.3 million in pre-sale investment (CoinReport). AlgoSec has raised $36 million from Claridge Israel (Reuters). Threatcare has closed a seed-funding round of $1.6 million from Moonshot Capital (Daily Telescope).
NiceHash's CEO, Marko Kobal, stepped down in the wake of the Slovenia-based startup's loss of $63 million in cryptocurrency to hackers. NiceHash brokers arrangements between coin miners and people with spare computing power (Bitcoinist).
Smart lock manufacturer Otto has suspended operations four months after it launched its flagship digital lock (TechCrunch).
Data Killers, secure recyclers of equipment, announced plans for global expansion (Concord Monitor).
Nanalyze published its list of six artificial intelligence companies to watch in 2018. Here are the start-ups mentioned in dispatches; their names will be familiar to most readers: Cybereason, Endgame, Shape Security, Versive, PerimeterX, and Obsidian. VentureBeat has also made a list. Theirs is of non-Silicon Valley tech startups to watch, some of which, like Duo Security, are in the cyber sector.