Blog

Intel Processors Zombieload Flaw

Yet another chip flaw allows attackers to steal any data that’s recently been accessed by the processor. Almost every Intel chip manufactured since 2011 is vulnerable. The good news is that attackers must be able to run code on the machine, which requires the machine to have already been compromised in some other manner. 

Microsoft, Apple, and Google have already issued updates to stop the vulnerability, which takes advantage of Microarchitectural Data Sampling. AWS has also patched their hypervisors and published this Security Release.

Red Hat’s YouTube channel has an excellent video detailing the MDS exploit.

Codedamn has a short video demonstrating the attack in action.

IoT Device Compromises Casino’s Database

An unnamed North American casino had its high-roller database stolen. An interesting but not uncommon story in the modern world of cybersecurity. Let’s ratchet the quirkiness up a notch; the hackers breached the network through an IoT thermostat in a fish tank located in the Casino’s lobby. This latest hack calls back into question the inherent insecurity associated with the drastic increase in Internet-connected devices.

The statistics are staggering. The IoT industry is holding steady at 19.2% compound annual growth. IoT usage in industrial manufacturing is expected to reach nearly one trillion dollars by 2020. The number of IoT devices currently in use is estimated at thirty-one billion. That number is expected to rise to over seventy-five billion by 2025.

These connected devices drastically expand the attack surface, and unlike traditional networked devices, security is often an afterthought if addressed at all.  Thermostats, refrigerators, light bulbs, smart speakers, picture frames…these single or narrow-use devices are churned out at competitive prices, and if we’ve learned anything over the last decade it’s that security is hard.

Robert Hannigan ran the British government’s digital-spying agency, Government Communications Headquarters, from 2014 to 2017 and recently spoke at the WSJ CEO Council Conference in London, “With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem… I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.”

Calling for stronger regulations, he added, “It’s probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself,” he said. “The problem is these devices still work — the fish tank or the CCTV camera still work.”

Blockchain 101

What is Blockchain?

Blockchain is a resilient, distributed, and decentralized digital ledger of transactions. It allows digital information to be distributed but not copied. Traditionally, central authorities were needed as an arbiter of trust between parties wishing to transact online. The blockchain makes it possible for peers to guarantee transactions in an automated, secure fashion. In short, blockchain makes possible the digital equivalent of cash exchanging hands.

Where did it come from?

Although blockchain saw its first effective use with the advent of Bitcoin, its roots can be traced back to 1976 in a paper titled New Directions in Cryptography1 written by Whitfield Diffie and Martin Hellman (Yep, those guys2), where they postulated the idea of a distributed ledger. Obviously certain things were required for this idea to come to fruition; a vast network of interconnected computers with enough computing power to crunch away at the complicated calculations required to validate the blocks (transactions) in a blockchain. Fast forward to 2009 and conditions are right for a real world application. Enter Bitcoin. Part of the brilliance of using blockchain to create digital currency is the ability to build in a financial incentive for users that are willing to use their computing power to validate the blockchain. Voluntarily validating Bitcoin transactions has the possibility of producing a percentage of a Bitcoin as compensation. This has given rise to the term miner and people building special purpose computers solely for the sake of high-performance mining.

An interesting aside, electricity usage for machines mining Bitcoin is expected to top forty two terawatts this year. That puts it just behind Peru in terms of energy demand.

How do cryptocurrencies use Blockchain?

Bitcoin and alternative currencies like Ethereum and Litecoin all utilize blockchain technology a bit differently. In the case of Bitcoin, a new block in its blockchain is created roughly every ten minutes. That block verifies and records new transactions that have taken place. In order for that to happen, mining computers provide a proof-of-work; a calculation that creates a hash which verifies the block and the transactions it contains. Several of those confirmations must be received before a bitcoin transaction can be considered effectively complete. This provides resiliency as multiple independent entities all verify each transaction. The entire blockchain is maintained in this way. This means that no single entity can control the market or manipulate the blockchain’s history without controlling 51% of all mining computers. A feat reasonably assumed to be impossible. This is a vital component, because it certifies everything that has happened in the chain prior, and it means that no one person can go back and change things. It makes the blockchain a public ledger that cannot be easily tampered with, giving it a built-in layer of protection that isn’t possible with a standard, centralized database of information.

What is the future of Blockchain?

It’s definitely too early to tell, but the possibilities are vast. Blockchains could drastically improve identity management online, reducing identity theft. Blockchain could also help secure the woefully unsecured Internet of Things as well as networking in general. Blockchain technology could be used to distribute social welfare in developing nations, and even completely disrupt the election process.

In the Cyber Security world (and others), non-repudiation is a huge deal. Blockchain could complete the trifecta, slotting in with digital signatures and cryptography.  

1 https://ee.stanford.edu/~hellman/publications/24.pdf

2 https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Memcached DDOS Attack Reaches 1.7 Terabits

There’s a new DDOS attack in town and it’s a doozy. This amplification attack takes advantage of unsecured (misconfigured) Memcached servers and the return-on-investment is staggering. Sending a forged request to a susceptible Memcached server on port 11211 will trigger a response to the intended target that has been amplified by a factor of 51,000. The result is the largest sustained denial of service attacks in history. GitHub successfully withstood a 1.3 Terabit-per-second attack and several days later an unnamed company in the United States was buffeted by a 1.7 Tbps attack.

According to Wikipedia, “Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.” The Memcached software is free and open-sourced and runs on Linux, OS X, and Windows, with wide spread adoption over the last decade.

Usually, these types of servers are used internally, disconnected from the public internet and only accessible within a trusted network to improve performance. But it appears a lot of people have been leaving Memcached servers exposed to the open internet where they can be discovered and exploited by just about anyone.

Indeed, tools have already started cropping up enabling the ‘script-kiddies’ to also take advantage without understanding the underlying technology. One such tool, written in C, comes complete with a pre-complied list of 17,000+ vulnerable Memcached servers. Another, written in Python, leverages Shodan to search for and obtain a fresh list of vulnerable servers. Both tools automate the sending of spoofed UDP packets. 

The original version of Memcached, created by Brad Fitzpatrick, did not support the UDP protocol. That functionality was added in 2008 by Facebook. The change was made without providing for mean to authenticate as developers falsely assumed that these servers would only run inside trusted networks. Later versions of the software eventually added authentication support for TCP but again left UDP out of the loop. That was, of course, until terabit-level denial of service attacks broadsided several sites last week. The open-source project was quickly updated to lock down the UDP port by default.

Similar to herd immunity, sites will not be safe from this attack until enough Memcached servers are patched or otherwise secured. A process that many experts predict will take quite some time.

What is Wannacry Ransomware? How can I stay protected?

You come into work just like any other day. Make coffee, sit down at your desk, login to your PC only to realize the applications that run your business no longer work. You try another with the same results. You start to notice odd file types that you have never seen before. You cannot open anything. You see a message that says “Pay us or your data is gone forever.” You start thinking, “is this happening to me, to us, to my company?” Are you prepared for a nightmare scenario like this?

Over the last few years, the malware strains dubbed “ransomware” have forever changed the approach to network security. Prior to this, a virus was inconvenient but not devastating. It may mess up a single machine but would not affect other machines on the network. It could be fixed relatively easily. I miss those days.

What is Ransomware?

Just like the name suggests, it will hold your files for ransom. The infection usually comes from a single PC on your network. There are several ways this infection spreads. The most common being email, there is also “drive-by malware” which can infect your machine by visiting a website hosting the virus. A simple mistyped website could land you at one such place.

How is Wannacry Ransomware different? Why is everyone making a big deal out of this?

This infection is a new method that has not been seen before. This new high tech exploit was developed by none other than the NSA. Somehow the tech was leaked to the public. It preys on systems that have out of date operating systems and not up-to-date on the latest Microsoft UpdatesThis means there is no email link to click, there is no malicious website to visit. The infection could find you if your network is unpatched for this vulnerability. It does this by port scanning IP address and attacking those with vulnerabilities.

How can I stay protected?

There is no single product, vendor, or service that can stop this type of security threat. The answer is a series of products and policies that work together to create a security suite. This includes Anti-Virus software. While this is a must-have, it will not always protect you from every threat. The phrase “Don’t put all your eggs in one basket” applies here.

What security practices should I have?

The best security approach is multi-layered:

  • Firewall that has threat management. This device is scanning and protecting the network in real time. It is stopping things before they can become a problem.
  • Anti-Virus software should be installed on every PC on the network and up to date.
  • Backups should be located onsite and offsite for redundancy. They should be checked daily to verify their integrity.
  • User Education is often overlooked but is critical to overall security. How to know if an email is legitimate or not. Reach out to your IT staff if you are ever unsure of a suspicious email or website.

Ransomware is not going away anytime soon. The threat landscape will always be changing. A business needs to be aware of these threats and take steps to keep their information safe. With the right security and backups policies, you can greatly minimize your exposure to security threats like this. Your business needs to be prepared for the worst.