Thursday, 4 January 2018

Meltdown and Spectre: Intel AMD ARM Processor Security Flaws Overview

The New Year has started with a big security bang after new dangerous security vulnerabilities were discovered within Intel, AMD and ARM processors, placing just about every Server, PC, Cloud Service, IoT device, Smartphone and Tablet on the planet at risk. 

Google Security Researchers (aka Project Zero) spearheaded the discovery of the new computer processor flaws, which they have named 'Meltdown' and 'Spectre' when breaking the bad news on 3rd January. Both Meltdown and Spectre allow an attacker or malware to access privileged information from within what is meant to be a protected area of (kernal) memory. Meaning the potential disclosure of passwords, encryption keys, and confidential data from within virtual environments i.e. where multiple virtual machines are hosted on a single hardware platform.

Meltdown
The Meltdown vulnerability is present on all Intel processors manufactured after 1995 and is the easiest of the two flaws to be exploited. This vulnerability exploit is known as "rogue data cache load", will be resolved by operation system patches/updates by Microsoft (KB4056892), Apple, and the various Linux distributions. However, the bad news is these patches are expected to slow (processors) computer systems down between 5% and 30% according to researchers, given it will be essentially a software patch to fix a hardware defect.

Meltdown Exploit Demo

Spectre
The Spectre vulnerability is present on Intel, AMD and ARM processors, and involves two more conceptual methods of attack called 'bounds check bypass' and 'branch target injection', both of which appear to be pretty difficult to execute. Spectre will be much harder to fix by vendors, so expect to wait for the patch releases for it. 
Are the Meltdown & Spectra Attacks being used by Hackers?
It is not currently known if hackers or malware have exploited either Meltdown and Spectre vulnerabilities. Detecting these type of processor exploits is far from easy, as specific processor activity is not typically recorded and checked in centralised security audit log files and audit systems, therefore Meltdown and Spectre exploitations are extremely hard to detect.

Recommended Response
The recommended course of action is to quickly apply the Meltdown and Spectre operation systems\vendor security patches as they are made available, but be mindful of the impact these patches will have on systems, namely, the negative processor performance, and any potential issues with anti-virus software and applications which could impact critical services, especially on servers and within virtual\cloud environments and on low processor powered devices such as IoT devices. Therefore comprehensive patch testing and a rollback plan are essential within businesses environments before Meltdown and Spectre patches are applied, and will help to identify and address any significant performance issues caused by the patches.

Within high-security environments, consider a strategy to replace all (processor) hardware, although a labour intensive and costly approach, it would provide a much higher degree of assurance once fixed processors are released by the chip manufacturers. Hardware replacement may even be a cost-effective approach in the medium to long-term if the performance impact of the patches turns out to be particularly severe.

Tuesday, 2 January 2018

Cyber Security Roundup for December 2018

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Thursday, 30 November 2017

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Wednesday, 1 November 2017

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.

A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut's website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.

It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:
  • The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
  • Led UK response to WannaCry
  • Advice website with up to 100,000 visitors per month
  • Three-day Cyber UK Conference in Liverpool
  • 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
  • Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
  • 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
  • Worked with 50 countries, including signing Nato's MoU
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Friday, 20 October 2017

How to start a Career in Cyber Security

I received an infographic by cybersecurityjobs.net on the top ten tips on landing a cyber security job, I  thought it provided excellent advice for budding cyber security professionals looking to gain a foothold. 

There is a considerable shortage of experienced cyber security professionals in the UK, but starting out in cyber security is a 'chicken and egg' scenario, in that it can be difficult to land a cyber security job without having the experience, but you can't get the necessary experience without being in a dedicated cyber security role. 

If you are struggling to get into the industry I recommend initially specialising in a specific area of security, undertake training and gain qualifications. Be patient, expand upon your areas of knowledge and experience, working your way up in different roles to your dream cyber security job. Dream big, but think small.

Monday, 16 October 2017

Krack WiFi Attack: Vulnerabilities in WPA2 Protocol

All Wi-Fi connections are potentially vulnerable to a newly discovered security attack called "Krack", which allows an attacker to listen in on internet traffic (a Man-in-the-Middle Attack) over a wireless network. 

In theory, a hacker could read your web and email communications, and even inject malware like ransomware onto your device. Krack takes advantage of unpatched Apple, Android, and Windows operation systems, while unpatched Wi-Fi access points can be manipulated to orchestrate the man-in-the-middle attack.

The sky is not falling in on WiFi, this is not like the WEP protocol situation of many years ago, WEP is a security protocol fundamentally flawed by design, WPA2 encryption is not broken, the software that uses it needs to be corrected to secure it. Wireless Access Points (APs) and operating systems that use WPA2 are (or soon will be) patchable, which protects them from this attack.

For a video demo of the attack see - https://www.krackattacks.com/#demo 
For the full technical details of the WPA2 flaw and attack method see - https://papers.mathyvanhoef.com/ccs2017.pdf

Wireless Usage Advice
  • Make sure your laptop operating system has the very latest security updates patched (always) i.e. Windows, Linux, Mac. Microsoft said they have already patched Windows systems, but at this time have not confirmed details about which patch it was. Several Linux distributions have released patches for the flaw.
  • Make sure your smartphone and tablet devices have the latest security updates patched, especially Android devices, and Apple, and Windows (if anyone still uses it)
  • As always, if you are going to use public WiFii networks, my first suggestion is to avoid using public WiFi, but if you are, use VPN software. Using a secure VPN will protect you against "Krack exploited" public WiFi access points, regardless of patching and whether AP is exploited. Failing that, if you like to take risks with your personal and confidential information, as a very last resort ensure you use "https://" websites only, and be extra vigilant the "https://" do not revert to "http://".  If it does, it is a clear sign of a compromised wireless network and of your connection to it.

Preventing Your Wireless Access Point from being Exploited
Wireless Access Points (AP) firmware versions are presently being updated and released to fix this WPA2 flaw, apply them with they are released - see https://www.kb.cert.org/vuls/id/228519/. AP firmware patches are often missed, as routers updates tend not to be applied automatically.

Monday, 2 October 2017

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively.

Hackers stole a quarter of a million Deloitte client emails, follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service.

September was an extremely busy month for security updates, with major patches releases by Microsoft, Adobe, Apache, Cisco and Apple to fix an array of serious security vulnerabilities including BlueBorne, a Bluetooth bug which exposes billions of devices to man-in-the-middle attacks.

UK government suppliers using Kaspersky to secure their servers and endpoints may well be feeling a bit nervous about the security software after Kaspersky was banned by US Government agencies. The US Senate accused the 20-year-old Russian based security company as being a pawn of the Kremlin and posing a national risk to security. Given the US and UK intelligence agency close ties, there are real fears it could lead to a similar ban in the UK as well. A UK ban could, in theory, be quickly extended to UK government suppliers through the Cyber Essentials scheme, given the Cyber Essentials accreditation is required at all UK government suppliers.

While on the subject of the Russia, the English FA has increased its cybersecurity posture ahead of next year's World Cup, likely due to concerns about the Russian Bears hacking group. The hacking group has already targeted a number of sports agencies in recent months, including hacking and releasing football player's world cup doping reports last month. 

In the last couple of weeks, I was Interviewed for Science of Security, and I updated my IBM Developer Works article on Combating IoT Cyber Threats.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Friday, 22 September 2017

Science of CyberSecurity: Latest Cyber Security Threats

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 5 of 5.

Q. What keeps you up at night in the context of the cyber environment that the world finds itself in?
The growing dependence and integration of connected computers within our daily lives, means we are embarking on an era where cyber attacks will endanger our lives. Networked and complex IT systems are inherently insecure, meaning it is open season for nation-states, cyber terrorists and the curious to attack these life integrated emerging technologies, from driverless cars and countless new home IoT devices. I fear it will only be a matter time before a cyber attack causes human harm or even loss of life. The impact of the recent NHS ransomware attack serves as a warning, this cyber attack directly caused the closure of accidental and energy departments and the cancellation of operations. The future threats posed artificial intelligence and quantum computing are also growing concerns for cyber security, and well worth keeping an eye as these technologies continue to progress.