Meltdown and Spectre arose from engineering for speed—most chips are affected. Bogus security apps kicked out of Google Play. Iran's Internet crackdown. Indications of a guilty plea in NSA leak case.
Dave Bittner: [00:00:00:20] Just imagine how popular you'll be at trade shows and cocktail parties when you can tell people, "I'm not just a CyberWire listener, I'm a supporter." Go to patreon.com/thecyberwire to find out more.
Dave Bittner: [00:00:15:17] Meltdown and Spectre pose kernel-level security issues, speed was inadvertently purchased at the price of insecurity. Spectre affects most chips, not just those from Intel. Mitigations are on the way. Bogus security apps booted from Google Play. Be on the lookout for phony Android Uber apps. Iran's internet crackdown continues, and former NSA contractor Hal Martin may plea to taking one classified document home with him.
Dave Bittner: [00:00:47:20] Time for a few words from our sponsor, Cylance. You've probably heard of next generation anti-malware protection, and we hope you know that Cylance provides it, but what exactly is this next generation and why should you care? If you're perplexed, be perplexed no longer, because Cylance has published a guide for the perplexed, they call it Next Generation Anti-Malware Testing for Dummies, but it's the same principle, clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques and the advantages of artificial intelligence, and why you should test for yourself, how to do the testing and what to do with whatever you find. That's right up my alley, and it should be right up yours too, so check it out at cylance.com. Take a look at Next Generation Anti-Malware Testing for Dummies. Again, that's Cylance, and we thank them for sponsoring our show.
Dave Bittner: [00:01:39:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, January 4th, 2018.
Dave Bittner: [00:01:59:01] So, these computer things that run on this internet thing. Seems to be a little slower than usual, friend? Do they seem run down, sister? Not the same snap, crackle and pop you're used to, brother? No? Well, maybe not yet, but you might notice it before too much longer.
Dave Bittner: [00:02:14:11] We're talking, of course, about the processor chip vulnerabilities that have been discussed this week. They've received a lot of names, Eff-wit and Kaiser among them, and we won't use Eff-wit, because we're a family show and, if any children are listening, neither should you, kids. The names that are sticking, however, are Meltdown and Spectre. The fact that these both come with snazzy logos ready-made, Spectre represented by a Pacmanian cartoon ghost, Meltdown by a Dali-esque melting shield, suggests that they've been known to some people for some time. And, indeed, Google blogged yesterday that its Project Zero discovered and quietly disclosed them last summer.
Dave Bittner: [00:02:54:13] The vulnerabilities are found in processor chips and they enable side channel attacks in affected systems. According to Google, the vulnerabilities are rooted in the way chips are engineered for efficiency to perform speculative execution, which enables the threading that lends processes the smooth speed users expect. Meltdown, which is CVE-2017-5754, permits ordinary applications to evade the security boundaries usually enforced at chip level to access the private contents of kernel memory. This vulnerability appears confined largely to Intel chips.
Dave Bittner: [00:03:30:09] Spectre, which is CVE-2017-5753 and CVE-2017-5715, is the more widespread and potentially dangerous of the two. It enables an attacker to bypass isolation among different applications.
Dave Bittner: [00:03:48:17] Yesterday's reports said only Intel chips were affected. Some competing manufacturers initially said their processors were unaffected. Well, not so fast. That optimism seems to have been misguided. Most recent processors share the Spectre vulnerabilities if not the Meltdown issue. Spectre has now been identified in ARM and AMD chips as well, as Intel has helpfully pointed out.
Dave Bittner: [00:04:12:10] Microsoft has issued an out-of-band patch to mitigate the problems for its products. Other vendors either have or shortly will make mitigations possible. These are expected to fix the security issues, but at the expense of performance. Many experts are advising people that their patched devices will run noticeably more slowly. Cloud users should experience similar slowdowns. One point worth noticing is that there are a lot of ARM chips in internet-of-things devices. If those are susceptible to Spectre, as they seem to be, that means there will be a lot of small, scattered, difficult-to-the-point-of-impossible-to-patch IoT devices out there.
Dave Bittner: [00:04:52:16] Michael Daly is the Chief Technology Officer at Raytheon for Cyber Security, and he joins us to share his view on Spectre and Meltdown.
Michael Daly: [00:05:00:11] You know, the standard story of patch quickly is really what we need to take away from this immediate problem. Meltdown has been out there since June of last year, and we have to assume at this point that some criminal organizations and nation state adversaries are aware of the details of this and have been aware of it. It's unlikely that this was kept quiet from them, so they had time to develop exploits for it, and so now that the patches are out, and I saw Microsoft put out the Windows patches this morning, we need to get those installed quickly.
Dave Bittner: [00:05:38:13] Are we thinking that the software patches are going to be a long term solution or ultimately are we going to have to see some hardware fixes as well?
Michael Daly: [00:05:45:19] I don't think a hardware fix is anytime soon. Surely, Intel, AMD, ARM will make changes to their architecture for future chips, but for now I think we are stuck with software fixes. The Meltdown fixes appear to be out there. I've heard that the Cloud platforms are already patched for the most part, and Apple had their patch out last December, and others have theirs out. So I think Meltdown is okay, in the sense that we have a patch. It doesn't mean that people have applied them or rebooted their systems, which is required to make the patch active. But Spectre is going to hang around for quite a while, it seems.
Dave Bittner: [00:06:28:16] So, in terms of the specific threats that people need to look out for, what's your guidance there?
Michael Daly: [00:06:33:15] Well, the threat is that folks figure out how to get you to run some of this code, and then use it to grab your credentials and encryption keys. I'm more concerned about credentials than anything, meaning usernames and passwords. With that, they can then jump in and install other malware and go about the usual exploit chain. So this is another vector for them to grab credentials. You know, on the Spectre story, the troubles with that are probably going to grow a little bit over time, as the various criminal organizations and nation states work on developing new ways of exploiting it and, since there isn't a quick hardware fix, for sure, and software fixes appear to be partial at best, we're going to have to do continuous updates to our monitoring systems to look for Spectre exploits as and if they evolve over time.
Dave Bittner: [00:07:32:17] That's Michael Daly from Raytheon.
Dave Bittner: [00:07:36:12] In other news, Google has expelled 36 bogus security apps from the play Store. Some of them misrepresented themselves as products from well-known and reputable vendors like Avast. This is, of course, an imposture, and Google has shooed these serpents from its walled garden. There's also some Android malware circulating in the wild that pretends to be an Uber app.
Dave Bittner: [00:07:59:10] Iran's crackdown on the internet continues as the regime declares victory in quashing unrest, but few observers take the Islamic Republic's claims of triumph at face value.
Dave Bittner: [00:08:10:12] Finally, in news of crime and punishment, former NSA contractor Hal Martin is reported by the Baltimore Sun and Reuters to have indicated his willingness to cop a guilty plea to a single count of taking a single classified document home with him. This came in a filing yesterday at the Baltimore court that's hearing the case. The single charge carries a maximum possible penalty of ten years' imprisonment. The government, which says it picked up 50 terabytes of classified information at Mr. Martin's Glen Burnie residence, seems unlikely to let things ride with that single plea. No-one seems to know why Mr. Martin took stuff home with him, if the government knows, it's not saying. And Mr. Martin's attorney has said that it went like this, Mr. Martin took home things to study so he could get better at his job, and then taking things home became an obsession. We kind of get that. The document Mr. Martin indicated his willingness to admit taking was a 2014 chart of a proposed NSA reorganization. An org chart would be a kind of a page turner, kind of like those Jedi manuals Yoda blew up in The Last Jedi. Wait, should we have said "spoiler alert"? Well, sorry, and may the Force be with you.
Dave Bittner: [00:09:31:01] And now a moment to tell you about our sponsor, Control Risks. Successful companies seize opportunities in new markets, but where there's opportunity, there's risk. Whether you want to move your client data to the Cloud, bring an office online in China, or acquire a competitor in Mexico, keeping your information secure is paramount. To do that, your cybersecurity decisions must be aligned with your business strategy, driven by reducing your risk. In such complex environments, there's no substitute for expertise on the ground. With over 2500 employees and 37 offices around the world, Control Risks can help you assess and manage the risk to your business, as they have for over 40 years across 178 countries. If you need to get a handle on your cyber risk in an emerging market, Control Risks will meet you there. Find out more at controlrisks.com. That's controlrisks.com, and we thank Control Risks for sponsoring our show.
Dave Bittner: [00:10:36:01] And joining me once again is David Dufour. He's the Senior Director of Engineering and Cyber Security at Webroot. David, welcome back. Happy you can jump on the line with us today. We want to talk about Meltdown and Spectre, get your take on it. Let's just start with some basics.
David Dufour: [00:10:51:08] Well, hey, Dave, thanks for having me back. These are pretty significant in terms of what's going on, because both of them kind of start at the hardware level and work their way up from there. Meltdown does have a software solution, Spectre, we're going to see some stuff over time.
Dave Bittner: [00:11:06:09] So, take us through that. I mean we're seeing the patches being released for Meltdown, but we're also hearing word that this could lead to slowdowns.
David Dufour: [00:11:14:02] Right. That's exactly right. It has to do with the memory and paging, and how that's done physically on the system. And so, operating system providers can do a lot of work in the kernel to lock that down and ensure that, with Meltdown, they're able to secure that memory allocation and that people aren't able to get to things they're not supposed to. But, in doing so, they're having to forgo some of the performance capabilities of that chip, and so you're going to see some hit at the kernel in the operating system, simply to prevent nefarious actors from being able to access those memory locations.
Dave Bittner: [00:11:49:15] And what about with Spectre?
David Dufour: [00:11:50:12] Well, Spectre's kind of an exciting but terrifying thing in and of itself. As with Meltdown, we can get a software solution out pretty quickly and yes, so we have CPU hit, it's a pretty definitive fix. With Spectre, we're seeing that on multiple hardware platforms, and the issue there, without going into too much detail, is how applications are able to access memory. That one is not going to have a straightforward simple fix, and what we're going to see with Spectre is probably something that's going to take time to get software fixes out as we see threats appear. Because the definitive fix would be to ship back all your hardware, have them repurpose circuit boards and then ship your hardware back to you, but obviously that's too costly. So, with Spectre, it's going to take time and we're going to have to pick these threats off one at a time as we see them.
Dave Bittner: [00:12:46:16] I think it's fair to say a sizable percentage of the computing world runs on Intel chips, certainly; they are the dominant player. How do you see this playing out? Obviously we're going to have to see some hardware adjustments from Intel. Will those hardware adjustments necessarily come with a performance hit as well?
David Dufour: [00:13:06:09] So, I think a couple of things. Meltdown is specific to Intel and, as I said, we're seeing some fixes come out already for operating systems around that. Yes, I believe there will be short term hits, or long term even, on that hardware, but I think Intel will have workarounds in place to resolve this problem in new hardware. I couldn't estimate when, but I think moving forward they will have this resolved, they're really good at that. That's specific to Meltdown. Now, the beautiful/terrifying thing about Spectre is it's not just Intel, it's affecting ARM and AMD as well, so it's not just limited to PCs or Macs or things with Intel chipsets, it's going to be across the board on anything with an ARM, an AMD or an Intel chip in it, and that is going to take longer to fix, and I don't think you can recall all these devices from these manufacturers. I mean how many people are manufacturing ARM chips out there?
Dave Bittner: [00:14:01:20] Right.
David Dufour: [00:14:02:19] So, it's just, we're going to have to, as an industry take the time that, when we see threats, it's just one more thing we add to the queue. We're going to have to figure out solutions that protect against those threats and then, from a hardware perspective, I guarantee folks are going back to the drawing board on how to engineer these problems out of those chipsets.
Dave Bittner: [00:14:22:21] So, what's the advice that you would give to different organizations? I mean, we've got enterprise, we've got small business and we've got home users, what should their various approaches be to protect themselves from this? How serious on a day to day basis are we talking about here?
David Dufour: [00:14:37:12] Well, I think that's a great question. First of all, anyone who ever hears me speak, I could be talking about how to bake bread, at the end of that, I always say, "Back up your data and apply security patches." So, number one, first and foremost, when operating system security patches come out for this stuff, apply them as quickly as you can. Some enterprises don't have the luxury of doing it very fast because they have proprietary software, but you do need to apply security patches to this as quickly as possible, and that's really at the enterprise and business level.
David Dufour: [00:15:09:02] For the consumer, you know, I think it's one of those things where you need to be diligent and pay attention to what's going on, but I don't think we know yet what the implications are to, say, smartphones or home PCs or things of that nature. We're going to have to wait and see, because this is a pretty sophisticated kind of issue that a lot of people now are going to try to take advantage of, and we're going to have to watch how that plays out and be ready to create patches or write solutions that protect against it as we start seeing it in the wild.
Dave Bittner: [00:15:39:13] All right. David Dufour, thanks for taking the time for us today.
David Dufour: [00:15:43:06] Great talking to you, Dave, thank you.
Dave Bittner: [00:15:44:05] All right.
Dave Bittner: [00:15:47:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:16:09:24] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of Data Tribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.