Meltdown and Spectre Analysis and Current Status

There seems to be a lot of complacent or feel-good news that Meltdown and Spectre will solve themselves or that no worry or care should be taken from users but this couldn’t be further from the truth.  In reality while CPU makers say “there are no known cases of exploits” doesn’t do much to allay fears of those in the know.  This is because Spectre and Meltdown will not leave any trace or evidence that you’ve been hacked.  Although it can be argued that there may be some signs of unauthorized access if that was how access was gained.

However, the nature of Spectre and Meltdown allow for normal authorized users, programs and even scripts on websites to exploit you.  This is why it is so scary as there’s really no way to be certain you haven’t been breached.

It’s an issue for everyone because these exploits could impact anything from your bank, transportation/transit, airplanes, nuclear power plants, and basically anything else that relies on computing security since Meltdown and Spectre are a complete breakdown of those barriers.  I won’t go into more of the basic details but I did make a quick “take on the issue here“.

The good news

There were patches quickly released for a lot of Linux, Windows and Mac devices.  However this doesn’t mean that the users installed the patches or that all users have the ability or access to do so.  Take for example physically remote computers, devices and perhaps some that are running headless that may not be easily accessible or that for some reason have patches disabled (this is more common than you’d think in production or mission critical environments).

Then what about old and unsupported versions of operating systems or that old security system, phone, or TV box, or even ATM whose manufacturer may not be around anymore or is just simply not offering support?

It’s the same issue with many common worms and viruses, patches, and fixes may be issued but millions or more are often still affected long after for various reasons.

The bad news

Even if we assume that Google discovered these flaws first, and if we assume they weren’t mandated to be put there via ARM, AMD and Intel what about insiders who know about this back in June or even earlier on?   From that point a number of individuals and groups could have compromised or damaged sensitive data and computer systems.  There’s still time since a lot of devices and people will not be patched yet.

And to make things worse, the only true way to solve this issue is with a CPU microcode update, which is not simple to deploy especially on embedded devices and any mistake can lead to a bricked device.

These OS patches are just that “patch work”, a hack or work around to mitigate the issue.

Then there’s the question of “we know there are 3 variants or vectors of attack”.  What if there are others that are not yet discovered?  You can be well equipped and funded organizations/hacking groups are working on this as we speak and they certainly won’t be disclosing it.  Until all devices have microcode updates there’s no way to certain we are safe from unknown vectors related to Spector and Meltdown.

What can you do?

Simply look out for the latest updates for your devices/phones/computers and install the update but don’t falsely assume a new update means you are protected unless you’ve read so that “this update fixes the Spectre and Meltdown” issue.

My Take On Meltdown and Spectre Computer Security Flaws

Spectre and Meltdown allow a non-privileged user (non-root/non-Admin)  to access memory they aren’t supposed to essentially dissolving the majority of computing security and privacy barriers.  This could be a guest user collecting sensitive information/passwords for an entire database, group of users, network etc..

If you are using any computing device whether it be an ARM based device, Intel CPU (although Intel is the worst offender at this point), AMD CPU this issue affects you and billions of other devices and users around the world.  Whether you are on Linux, Unix, Windows, Mac this applies to you.  It is really an unmitigated scandal and disaster for both privacy, security and even safety with long lasting and wide ranging ramifications that will continue to playout for years.

I’ve made a comment in the past about security, IOT and how there are many devices that are now unsupported or can’t be updated leading to huge security issues.  We are now unfortunately there and have been since 1995.

This issue was first reported by Google Project Zero and they are known as the Meltdown and Spectre Vulnerabilities that affect all microprocessors made since 1995 (the modern computing era).

To make it worse there are 3 known “variants” or attack vectors known (I suggest there may be more that are undisclosed or not yet known to the public).  With variants 1,2 being very similar (known as Spectre) and variant 3 known as Meltdown.

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

The attack is possible due to “speculative execution” where CPUs (computer chips) essentially try to predict future work needed and will actually do sometimes unneeded work as the performance hit for doing this is less than waiting to execute the instructions later.   This means the computer sometimes performs work that isn’t needed and not used to increase performance, where things have gotten bad is through this feature, it’s possible for a normal user/process to gain unrestricted access to memory that you shouldn’t have access to.

What is Spectre?

The primary variants (1,2) that make up Spectre  rely on the user exploiting the speculative feature of the CPU to write to memory under their control.  This allows a normal user to read basically all memory processes allowing keys, passwords and confidential data to be intercepted.  AMD Claims that Variant #2 does not impact them as well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

What is Meltdown?

Meltdown is the third and more serious and nasty variant that still relies on the speculative execution exploit/flaw but actually allows the attacker to read arbitrary memory (so basically anywhere at will).  The key feature of Meltdown is that it is the easiest attack to perform and it has been demonstrated on the Intel platform already.

The only good news is that apparently this Meltdown attack only affects Intel and not AMD.

https://access.redhat.com/security/vulnerabilities/speculativeexecution

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Redhat has also done an excellent writeup about the issue here:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

How To Protect Yourself

First and foremost you should update your devices as soon as patches become available.  In Linux enabling KPTI can protect you.   However for some major distributions of Linux users are still waiting for a patch.

If you are vulnerable and performing critical operations it’s time to make tough choices including possibly turning off your machines or denying all non-admin users access to a server/services if possible.

Ensuring rotation of keys and passwords can also mitigate your risks even if passwords have been compromised.

It comes down to good security practices all around such as segregating services to different physical machines, restricting physical and virtual user access.

If possible remove all non-essential or untrusted applications from your device/computer/server.

Dedicated Servers Will Become More Popular

There has been a huge trend to put everything into the Cloud, one that I have reservations with despite owning companies that offer our own private Cloud.

Fortunately we haven’t been impacted by Spectre and Meltdown and are not vulnerable but it does raise questions from our clients that we’ve mentioned before.

I’ve always advocated for physical segregation, which means that if possible you should have your own physical dedicated server that is encrypted and running a minimum set of services with as a few users as possible.  By doing this you significantly reduce your risk in a scenario like this by putting your company database, e-mail, VPN, websites, file server on physically different servers.

Serious Questions and Concerns Raised

I would raise the question that is it really possible that such a wide-ranging exploit was completely unknown for this long until a team from Google discovered it?  Considering the budgets of major intelligence agencies around the world who are constantly looking to find exploits of their own it is conceivable that this vulnerability may have been exploited for far longer than it was publicly known by specific groups.

Another one is Intel’s response to it by apparently being accused of singling out AMD when as of now, Intel is far more vulnerable.

Since these chip makers are all US based is it possible they were mandated by law to introduce speculative execution in such a similar way that this vulnerability would be possible?  Considering recent revelations I don’t think it would be inconceivable.

Are there more than 3 variants and if we assume that no one else really knew about Variants 1-3 is it not possible that a well-armed team could find new ways to exploit them?

Long-term Value for Intel, AMD and ARM

At the time of writing Intel’s stock was down about 3% but this could get worse for either of these companies if one’s vulnerabilities keep increasing and/or one of them is hit with a larger exploit.

Conclusion

It’s hard to give an honest conclusion as we’re just getting started and this is all we know about the Variants 1,2 (Spectre) and Meltdown.  So far it looks like we were lucky to choose AMD.  The key issue that will come out of this is how many devices and users will remain vulnerable by being unable to patch or if they have a device that cannot be easily patched or there is no longer any support from the vendor?  This would increase the amount of zombies and data security breaches several fold.

This is also a good time and a wakeup call for all companies to do a security audit and if they don’t have dedicated security staff, to bring in some good IT and security auditors to assess and mitigate these risks before they become costly losses.

IoT (Internet of Things) Security Issues Increase

IoT (Internet of Things) is simply a fancy way of expressing that we have more devices online and connected to the internet than ever before when compared to my favorite tradition of Desktop PCs, Tablets and Phones. With the advent of embedded computing becoming more affordable, powerful and easier to develop than ever using tools like Raspberry Pi based on the ARM platform, this means we have a plethora of new devices and embedded, internet connected devices added to every day things we use.

Common examples of these are new cars, alarm systems, video cameras/surveillance systems, fridges, stoves, home locks, lights, watches, medical equipment and so much more.
The security issue with these devices is more challenging and complex than ever before for both the end user and businesses using them.

There is no doubt or anyone in denial that it’s an issue and the privacy, security and financial risks can be quite high. Security in general works on the basis of weakest link and it is arguable that a random internet connected device in your house or business poses an immense security risk with some of these devices having little to no security or out in the wild vulnerabilities.

These devices are certainly not impossible to secure, in fact the majority of them are easy to secure but it’s simply not the forefront or priority of most device makers or developers. Because of this devices are often completely unsecured and don’t even need to be hacked, sometimes they run a telnet,ssh or web daemon which can be accessed with no password or a dictionary password like admin/admin root/root or with just a username. There are others which cannot be easily updated which have vulnerabilities that end up being found later and exploited. Even more difficult some of these devices are physically inaccessible and installed in appliances and other devices where it can be harder to update them. A lot of companies would be reluctant to push out updates because often if the update failed it would render the device useless without physical intervention.

We can only hope standards emerge in the industry where updates will be easier, standard and guaranteed but this is unlikely to happen. Even with companies who use these products and recognize it is an issue there is only so much planning that can be done for devices that are not easily managed or accessible.

The only practical solution today is to try to firewall and physically isolate IoT devices where ever possible to reduce the risk (but for a lot of companies this is not easy or practical). At the end of the day more advanced network planning and management will be required and so will hardware firewalls play an ever increasing role in trying to prevent and detect attacks to these devices.

Bitcoin’s Hard Fork of BCH Bitcoin Cash a milestone for cryptocurrency

The hard fork occurred on August 1st, 2017 with some nodes of the Bitcoin network implementing the “Segwit update”.  Although a lot of potential chaos could have happened, many in the industry called it correct that the most probable scenario is that the split would occur with the creation of BCH and Bitcoin users would not lose any coins and would be rewarded with an equal amount of BCH.  However, most exchanges and users were advised to backup their wallets and not do any transactions in the meantime.

Beyond this a lot of questions and issues need to be sorted out in the cryptocurrency world for things to stabilize and be universally accepted by businesses and individuals.  The key issues in my mind are “volatility”, “stability”, “security” and “regulation”. Really a serious issue with either of my three cores issues puts people and businesses at big risk although new updates and coins keep coming out with some promising the solution to these various issues.

Volatility

This is in reference to the extremely unpredictable nature of many currencies and Bitcoin is a core example with rapid swings.  Now people have often been warned that “don’t store your coins for the long-term” and this comes from the Bitcoin team itself as no one can be certain of the future of any coin at this moment.

Some have lamented that cash is the same, this is true but with the caveat that cash is backed by a government and central bank (all of who which do not really like cryptocurrency unless it is managed or under their control-more on regulations later).  Cash of course has had its issues whether run on banks, robberies, theft, fraud and other misuses of currency however cash is what most of us know and there is some safety and security in the “right cash” and at least often some predictability.

Take for example a record high of Bitcoin at the time in 2013 of approximately $1300 USD but sometime in 2015 trading was just at $267 USD.  The point here is that at this time cryptocurrency can be very volatile and unpredictable.  It can create chaos in everyday life for both business and individuals.  A risk that many businesses echo is the above scenario what if you accept payment based on USD in a cryptocurrency and the value plummets by 80% or some other high number suddenly?  It creates huge issues to say the least and time should address them but until there are more coins that have some consistency in their valuation without rapid descents there will be some reluctance.

Stability

There have been many instances on both the networks and exchanges for Bitcoin and Etherum where there are a ton of unconfirmed transactions.   I still have trouble understanding this but there are various numbers of “confirmations” before once can be comfortable they really have the currency that has been sent.  What if the network stops working or slows down creating massive fraud or inability to process transactions?

Fortunately there are new coins coming out which are instant that solve this issue but still there are many in the wild, common and highly valued that do not have these features.

There is also of course the concern that massive DDOS attacks could take out the network of a cryptocurrency or effectively shutting it down.

Security

The biggest threat is that there is the assumption that blockchain is secure and irreversible and it is impossible to play around in ways you shouldn’t.  However, this also relies on someone not finding a weakness or exploit against the blockchain, and what is more probable going forward is that an organization with massive computing power ultimately finds this and exploits this in various ways.

There are also other considerations such as people losing their coins to viruses or hackers, this has even happened to exchanges such as Coinbase executives.  One thing for sure is that it is not wise to leave your coins in an exchange if not for the risk that in the recent Bitcoin Fork the exchange refuses to give you the split/new currency.

Regulation

This is the biggest uncharted territory but governments and large financial institutions have made their position clear and my interpretation is that “we love blockchain” but “we hate that it is not under our control yet”.  This will have significant repercussions worldwide on how individuals and businesses deal with cryptocurrency.  Significant regulation and the introduction of state-run/central cryptocurrencies could potentially wipe out or make worthless some coins overnight. On another note it appears to be increasingly difficult to buy or sell out of the cryptocurrency markets with banks making it increasingly difficult for the coin exchanges to operate.

Conclusion

Bitcoin and other cryptocurrencies have made it far beyond the naysayers and through many difficult and unpredictable times.  Ultimately I believe cryptocurrency will continue to evolve and improve but as with any tool there are always going to be some pitfalls and bottlenecks.

My Take On WannaCry

Reading media coverage of the WannaCry, ransomware attack has been excruciatingly frustrating because little to no information was offered on how infection happens and how to protect yourself.

This issue has been a bit frustrating and unhelpful as an IT professional and user if I didn’t find the right answers there is something seriously wrong.  I couldn’t find the important information in any of the mainstream articles so certainly a novice or amateur user would have no chance of protecting themselves.

How Did WannaCry Infect and Spread?

Long version here from Malwarebytes

One of the key ways is still the oldest “phishing” trick in the book, via e-mail which many users are tricked into opening infected attachments.  This was not readily available in media coverage and this simple warning or announcement could have prevented a lot of new infections.  I believe this is a key factor that has not been discussed since many networks will be behind NAT and external SMB services would be blocked, having users on the LAN install the worm is an easy way to get inside and spread the infection to areas that are hardened on the outside.

The more technical explanation there is an exploit called “ETERNALBLUE” which was a hacking tool leaked from the NSA which exploited a weakness in Microsoft’s implementation of SMB (Server Message Block/filesharing protocol).   This has been widely reported but the simple way to prevent automatic infection through this method has not.

Once infected the worm essentially scans your LAN and then the internet to spread the infection further which quickly multiplied the damage and scope of this attack.

How to protect yourself?

  1. First and foremost is to update your Microsoft Windows regardless of OS (whether you have XP, Vista, 7, 10, 12 or any Server) because all Microsoft versions are apparently impacted by MS17-010 ETERNALBLUE/WannaCry
  2. Disable SMB/Filesharing in Windows and if that is not possible at least use firewall settings to block SMB/filesharing/CIFS.
  3. If the above is not possible you should physically unplug any impacted machines from the network (it could be a simple as disabling all ports on your network/switch or even unplugging entire switches if possible).

Who is to blame?

There is plenty of blame to go around but currently a lot of it is coming from Microsoft who is blaming users for not patching and the NSA for hoarding these exploits and not notifying them or users beforehand.

In all fairness Microsoft did issue patches for even unsupported OS’s like Vista and XP on March 14th, 2017.

Many have mused that the NSA should have at last notified Microsoft the moment they realized their hacking tools were leaked.

At the end of the day the question is how could Microsoft have left open such a serious vulnerability for so long?  Was it an intentional backdoor and was it collaboration between Microsoft and the NSA or other third parties?

Some Can’t Patch

Some systems may be running on internal networks on their own LAN but were still infected so they wouldn’t be patched.  To make matters worse the chances are these would more likely be critical data and infrastructure that are impacted in this case.

Other machines are not managed properly or remotely and are deployed with internet access making them sitting ducks for these types of attacks.

There are also some who just don’t patch because the risk to impacting existing services is too great.  Although I would argue the risk is much higher to not patch and not upgrade or migrate your applications to a more secure platform if you get hit with ransomware like this.

These Issues Are Nothing New

With the Snowden revelations many have worried that US tech companies being forced to provide backdoor access to the NSA would be vulnerable should other hackers discovery the vulnerabilities or intentional backdoors on their own, or in this case when the tools and exploits were somehow leaked.

In the wider scope of things Microsoft has seen worms of this scale in the past, it’s nothing new.  There are no worldwide protocols for notifying users or defending against such worms and this will certainly become an increasingly problem with more and more devices online especially with IoT and so many devices that are connected that we don’t think about, and that don’t get patched or may not have an easy or automatic way of updating.