Intel Processors Zombieload Flaw

Yet another chip flaw allows attackers to steal any data that’s recently been accessed by the processor. Almost every Intel chip manufactured since 2011 is vulnerable. The good news is that attackers must be able to run code on the machine, which requires the machine to have already been compromised in some other manner. 

Microsoft, Apple, and Google have already issued updates to stop the vulnerability, which takes advantage of Microarchitectural Data Sampling. AWS has also patched their hypervisors and published this Security Release.

Red Hat’s YouTube channel has an excellent video detailing the MDS exploit.

Codedamn has a short video demonstrating the attack in action.

IoT Device Compromises Casino’s Database

An unnamed North American casino had its high-roller database stolen. An interesting but not uncommon story in the modern world of cybersecurity. Let’s ratchet the quirkiness up a notch; the hackers breached the network through an IoT thermostat in a fish tank located in the Casino’s lobby. This latest hack calls back into question the inherent insecurity associated with the drastic increase in Internet-connected devices.

The statistics are staggering. The IoT industry is holding steady at 19.2% compound annual growth. IoT usage in industrial manufacturing is expected to reach nearly one trillion dollars by 2020. The number of IoT devices currently in use is estimated at thirty-one billion. That number is expected to rise to over seventy-five billion by 2025.

These connected devices drastically expand the attack surface, and unlike traditional networked devices, security is often an afterthought if addressed at all.  Thermostats, refrigerators, light bulbs, smart speakers, picture frames…these single or narrow-use devices are churned out at competitive prices, and if we’ve learned anything over the last decade it’s that security is hard.

Robert Hannigan ran the British government’s digital-spying agency, Government Communications Headquarters, from 2014 to 2017 and recently spoke at the WSJ CEO Council Conference in London, “With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem… I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.”

Calling for stronger regulations, he added, “It’s probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself,” he said. “The problem is these devices still work — the fish tank or the CCTV camera still work.”

Blockchain 101

What is Blockchain?

Blockchain is a resilient, distributed, and decentralized digital ledger of transactions. It allows digital information to be distributed but not copied. Traditionally, central authorities were needed as an arbiter of trust between parties wishing to transact online. The blockchain makes it possible for peers to guarantee transactions in an automated, secure fashion. In short, blockchain makes possible the digital equivalent of cash exchanging hands.

Where did it come from?

Although blockchain saw its first effective use with the advent of Bitcoin, its roots can be traced back to 1976 in a paper titled New Directions in Cryptography1 written by Whitfield Diffie and Martin Hellman (Yep, those guys2), where they postulated the idea of a distributed ledger. Obviously certain things were required for this idea to come to fruition; a vast network of interconnected computers with enough computing power to crunch away at the complicated calculations required to validate the blocks (transactions) in a blockchain. Fast forward to 2009 and conditions are right for a real world application. Enter Bitcoin. Part of the brilliance of using blockchain to create digital currency is the ability to build in a financial incentive for users that are willing to use their computing power to validate the blockchain. Voluntarily validating Bitcoin transactions has the possibility of producing a percentage of a Bitcoin as compensation. This has given rise to the term miner and people building special purpose computers solely for the sake of high-performance mining.

An interesting aside, electricity usage for machines mining Bitcoin is expected to top forty two terawatts this year. That puts it just behind Peru in terms of energy demand.

How do cryptocurrencies use Blockchain?

Bitcoin and alternative currencies like Ethereum and Litecoin all utilize blockchain technology a bit differently. In the case of Bitcoin, a new block in its blockchain is created roughly every ten minutes. That block verifies and records new transactions that have taken place. In order for that to happen, mining computers provide a proof-of-work; a calculation that creates a hash which verifies the block and the transactions it contains. Several of those confirmations must be received before a bitcoin transaction can be considered effectively complete. This provides resiliency as multiple independent entities all verify each transaction. The entire blockchain is maintained in this way. This means that no single entity can control the market or manipulate the blockchain’s history without controlling 51% of all mining computers. A feat reasonably assumed to be impossible. This is a vital component, because it certifies everything that has happened in the chain prior, and it means that no one person can go back and change things. It makes the blockchain a public ledger that cannot be easily tampered with, giving it a built-in layer of protection that isn’t possible with a standard, centralized database of information.

What is the future of Blockchain?

It’s definitely too early to tell, but the possibilities are vast. Blockchains could drastically improve identity management online, reducing identity theft. Blockchain could also help secure the woefully unsecured Internet of Things as well as networking in general. Blockchain technology could be used to distribute social welfare in developing nations, and even completely disrupt the election process.

In the Cyber Security world (and others), non-repudiation is a huge deal. Blockchain could complete the trifecta, slotting in with digital signatures and cryptography.  

1 https://ee.stanford.edu/~hellman/publications/24.pdf

2 https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Memcached DDOS Attack Reaches 1.7 Terabits

There’s a new DDOS attack in town and it’s a doozy. This amplification attack takes advantage of unsecured (misconfigured) Memcached servers and the return-on-investment is staggering. Sending a forged request to a susceptible Memcached server on port 11211 will trigger a response to the intended target that has been amplified by a factor of 51,000. The result is the largest sustained denial of service attacks in history. GitHub successfully withstood a 1.3 Terabit-per-second attack and several days later an unnamed company in the United States was buffeted by a 1.7 Tbps attack.

According to Wikipedia, “Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.” The Memcached software is free and open-sourced and runs on Linux, OS X, and Windows, with wide spread adoption over the last decade.

Usually, these types of servers are used internally, disconnected from the public internet and only accessible within a trusted network to improve performance. But it appears a lot of people have been leaving Memcached servers exposed to the open internet where they can be discovered and exploited by just about anyone.

Indeed, tools have already started cropping up enabling the ‘script-kiddies’ to also take advantage without understanding the underlying technology. One such tool, written in C, comes complete with a pre-complied list of 17,000+ vulnerable Memcached servers. Another, written in Python, leverages Shodan to search for and obtain a fresh list of vulnerable servers. Both tools automate the sending of spoofed UDP packets. 

The original version of Memcached, created by Brad Fitzpatrick, did not support the UDP protocol. That functionality was added in 2008 by Facebook. The change was made without providing for mean to authenticate as developers falsely assumed that these servers would only run inside trusted networks. Later versions of the software eventually added authentication support for TCP but again left UDP out of the loop. That was, of course, until terabit-level denial of service attacks broadsided several sites last week. The open-source project was quickly updated to lock down the UDP port by default.

Similar to herd immunity, sites will not be safe from this attack until enough Memcached servers are patched or otherwise secured. A process that many experts predict will take quite some time.