AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
   Networked Database  Computer Support/Help/Discussion...   [36 / 1585] RSS
 From   To   Subject   Date/Time 
Message   Sean Rima    All   CRYPTO-GRAM, January 15, 2018   January 28, 2018
 3:25 PM *  

             CRYPTO-GRAM
          January 15, 2018
          by Bruce Schneier
         CTO, IBM Resilient
        schneier@schneier.com
       https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit 
<https://www.schneier.com/crypto-gram.html>...
You can read this issue on the web at 
<https://www.schneier.com/crypto-gram/archives... These 
same essays and news items appear in the "Schneier on Security" blog at

<https://www.schneier.com/>, along with a lively and intelligent
comment 
section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
      Spectre and Meltdown Attacks Against Microprocessors
      News
      Susan Landau's New Book: "Listening In"
      Schneier News
      New Book Coming in September: "Click Here to Kill Everybody"
      Daniel Miessler on My Writings about IoT Security
** *** ***** ******* *********** *************
      Spectre and Meltdown Attacks Against Microprocessors
The security of pretty much every computer on the planet has just
gotten 
a lot worse, and the only real solution -- which of course is not a 
solution -- is to throw them all away and buy new ones.
On January 3, researchers announced a series of major security 
vulnerabilities in the microprocessors at the heart of the world's 
computers for the past 15-20 years. They've been named Spectre and 
Meltdown, and they have to do with manipulating different ways 
processors optimize performance by rearranging the order of
instructions 
or performing different instructions in parallel. An attacker who 
controls one process on a system can use the vulnerabilities to steal 
secrets elsewhere on the computer.
This means that a malicious app on your phone could steal data from
your 
other apps. Or a malicious program on your computer -- maybe one
running 
in a browser window from that sketchy site you're visiting, or as a 
result of a phishing attack -- can steal data elsewhere on your
machine. 
Cloud services, which often share machines amongst several customers, 
are especially vulnerable. This affects corporate applications running 
on cloud infrastructure, and end-user cloud applications like Google 
Drive. Someone can run a process in the cloud and steal data from every

other user on the same hardware.
Information about these flaws has been secretly circulating amongst the

major IT companies for months as they researched the ramifications and 
coordinated updates. The details were supposed to be released next
week, 
but the story broke early and everyone is scrambling. By now all the 
major cloud vendors have patched their systems against the 
vulnerabilities that can be patched against.
"Throw it away and buy a new one" is ridiculous security advice, but 
it's what US-CERT recommends. It is also unworkable. The problem is
that 
there isn't anything to buy that isn't vulnerable. Pretty much every 
major processor made in the past 20 years is vulnerable to some flavor 
of these vulnerabilities. Patching against Meltdown can degrade 
performance by almost a third. And there's no patch for Spectre; the 
microprocessors have to be redesigned to prevent the attack, and that 
will take years.
This is bad, but expect it more and more. Several trends are converging

in a way that makes our current system of patching security 
vulnerabilities harder to implement.
The first is that these vulnerabilities affect embedded computers in 
consumer devices. Unlike our computers and phones, these systems are 
designed and produced at a lower profit margin with less engineering 
expertise. There aren't security teams on call to write patches, and 
there often aren't mechanisms to push patches onto the devices. We're 
already seeing this with home routers, digital video recorders, and 
webcams. The vulnerability that allowed them to be taken over by the 
Mirai botnet last August simply can't be fixed.
The second is that some of the patches require updating the computer's 
firmware. This is much harder to walk consumers through, and is more 
likely to permanently brick the device if something goes wrong. It also

requires more coordination. In November, Intel released a firmware 
update to fix a vulnerability in its Management Engine (ME): another 
flaw in its microprocessors. But it couldn't get that update directly
to 
users; it had to work with the individual hardware companies, and some 
of them just weren't capable of getting the update to their customers.
We're already seeing this. Some patches require users to disable the 
computer's password, which means organizations can't automate the
patch. 
Some antivirus software blocks the patch, or -- worse -- crashes the 
computer. This results in a three-step process: patch your antivirus 
software, patch your operating system, and *then* patch the computer's 
firmware.
The final reason is the nature of these vulnerabilities themselves. 
These aren't normal software vulnerabilities, where a patch fixes the 
problem and everyone can move on. These vulnerabilities are in the 
fundamentals of how the microprocessor operates.
It shouldn't be surprising that microprocessor designers have been 
building insecure hardware for 20 years. What's surprising is that it 
took 20 years to discover it. In their rush to make computers faster, 
they weren't thinking about security. They didn't have the expertise to

find these vulnerabilities. And those who did were too busy finding 
normal software vulnerabilities to examine microprocessors. Security 
researchers are starting to look more closely at these systems, so 
expect to hear about more vulnerabilities along these lines.
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they 
only affect the confidentiality of data. Now that they -- and the 
research into the Intel ME vulnerability -- have shown researchers
where 
to look, more is coming -- and what they'll find will be worse than 
either Spectre or Meltdown. There will be vulnerabilities that will 
allow attackers to manipulate or delete data across processes, 
potentially fatal in the computers controlling our cars or implanted 
medical devices. These will be similarly impossible to fix, and the
only 
strategy will be to throw our devices away and buy new ones.
This isn't to say you should immediately turn your computers and phones

off and not use them for a few years. For the average user, this is
just 
another attack method amongst many. All the major vendors are working
on 
patches and workarounds for the attacks they can mitigate. All the 
normal security advice still applies: watch for phishing attacks, don't

click on strange e-mail attachments, don't visit sketchy websites that 
might run malware on your browser, patch your systems regularly, and 
generally be careful on the Internet.
You probably won't notice that performance hit once Meltdown is
patched, 
except maybe in backup programs and networking applications. Embedded 
systems that do only one task, like your programmable thermostat or the

computer in your refrigerator, are unaffected. Small microprocessors 
that don't do all of the vulnerable fancy performance tricks are 
unaffected. Browsers will figure out how to mitigate this in software. 
Overall, the security of the average Internet-of-Things device is so
bad 
that this attack is in the noise compared to the previously known
risks.
It's a much bigger problem for cloud vendors; the performance hit will 
be expensive, but I expect that they'll figure out some clever way of 
detecting and blocking the attacks. All in all, as bad as Spectre and 
Meltdown are, I think we got lucky.
But more are coming, and they'll be worse. 2018 will be the year of 
microprocessor vulnerabilities, and it's going to be a wild ride.
Note: A shorter version of this essay previously appeared on CNN.com.
https://www.cnn.com/2018/01/04/opinions/secur...
er-has-just-gotten-a-lot-worse-opinion-schneier/index.html
News articles:
https://www.nytimes.com/2018/01/03/business/c...
https://www.wired.com/story/critical-intel-fl...
or-most-computers/
http://www.zdnet.com/article/security-flaws-a...
ce-1995-arm-processors-vulnerable/
https://www.forbes.com/sites/thomasbrewster/2...
pectre-vulnerabilities-leave-millions-open-to-cyber-attack/#277e7f0b393
2
https://arstechnica.com/gadgets/2018/01/meltd...
rn-processor-has-unfixable-security-flaws/
Vulnerability's website:
https://spectreattack.com/
Technical information:
https://lwn.net/SubscriberLink/742702/83606d2...
http://www.tomshardware.com/news/meltdown-spe...
m-nvidia,36219.html
https://webkit.org/blog/8048/what-spectre-and...
Research papers:
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
Vulnerabilities in browsers:
https://www.lawfareblog.com/spectre-advertisi...
know
https://blog.mozilla.org/security/2018/01/03/...
ass-timing-attack/
http://www.tomshardware.com/news/meltdown-spe...
cript,36221.html
Early news about the vulnerability:
https://www.theregister.co.uk/2018/01/02/inte...
US-CERT recommendation:
https://www.kb.cert.org/vuls/id/584653
Who's patched what:
https://www.bleepingcomputer.com/news/securit...
ctre-vulnerability-advisories-patches-and-updates/
Unpatchable devices:
https://www.wired.com/2014/01/theres-no-good-...
of-things-and-thats-a-huge-problem/
Mirai botnet:
https://www.wired.com/2016/12/botnet-broke-in...
Intel ME vulnerability:
https://www.wired.com/story/intel-management-...
-servers-iot/
Problems with patching:
--- SBBSecho 3.03-Win32
 * Origin: http://realitycheckbbs.org (618:300/1)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page

VADV-PHP
Execution Time: 0.0144 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2024 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
v2.1.220106