crime – Page 25 – STE WILLIAMS

Why CSP Isn’t Enough to Stop Magecart-Like Attacks

library
crime | hacking | security

As Magecart and formjacking attacks become more sophisticated, it’s essential to address not only what services may interact with users, but what that interaction looks like and how to control it.

2019 left enterprises scrambling for security measures to tackle new threats such as formjacking and targeted attacks perpetrated by the group known as Magecart as well as other attackers leveraging the same techniques. Most, if not all, of the Magecart-style attacks started from a trusted domain, a third party, or the actual website domain. The British Airways attack started from its own domain, while Delta Airlines, Best Buy, Sears, and others started from trusted third-party domains.

Traditionally, security analysts have been quick to suggest Content Security Policy (CSP) as a valid technique to thwart these attacks. In reality, there are many gaps and vulnerabilities in using CSP as an end-all solution for monitoring and protecting websites and ensuring the end user or customer is in fact also protected from these attacks.

Unfortunately, using CSP alone to combat the threat posed by Magecart leaves large gaps and blind spots in the overall health, security, and functionality of a website.

What Is a CSP?
CSP is implemented through an additional series of headers which a web server can send to a visitor’s browser to define rules about what code, images, videos, and other files can be loaded by the browser. Put simply, the browser is given a list of domains to trust and from which it may retrieve content. If the web page attempts to load content from a domain not listed within the CSP definition provided by the web server, that content will not be loaded.

CSP can be used to effectively prevent certain types of client-side attacks. In cases where external resources can be mapped beforehand, thoroughly investigated for malicious code, and be kept up to date through future releases, CSP can be a useful component of an overall anti-Magecart strategy.

However, there are a few issues that show the disadvantages of CSP. Here are three of its biggest problems, as well as a few tips about how to address them.

CSP does allow the owner of a website to control where third-party code can come from, but it does not provide a robust or granular way of handling what that code does once it is executing in the browser. In some ways, this is analogous to giving the key to your business to a contractor and leaving them unsupervised; you are granting them access but have no control over their behavior once they have that access.

As Magecart-like attacks become more sophisticated, it is essential to address not only what services may interact with your visitor, but what that interaction looks like and how it may be controlled.

More Work and Management Required
Implementing CSP requires an immense amount of effort because of configuration, subject matter expertise, and ongoing maintenance. Each new third-party service introduced into the website will require analysis by developers, the creation of new CSP directives, and changes to the web server application to deploy those new directives. Furthermore, this process may need to be repeated with each new release of any particular third-party service present. Lastly, this requires on-going governance and collaboration between digital media or marketing teams and application development, creating an additional organizational burden.

Third-party services frequently change their own internal architecture for a variety of reasons: feature enhancements, optimization, market conditions, etc. Any changes implemented by the third party may require reconfiguration of the CSP rules created for that service.

While those changes are being made, the organization using that third-party service must make a decision between disabling CSP altogether and allowing that service to run with no security in place or discontinuing use of the service until a new CSP configuration can be developed in-house.

Action Plan
Here are three simple steps organizations can take to assess their vulnerability and protect themselves better:

Perform a website threat analysis to see how vulnerable you really are from malicious attacks.
Understand what scripts on your website are running and detect ones that shouldn’t be there or aren’t doing what they are intended to do.
Pay attention to similar industry attacks. If you are an e-commerce company and notice many attacks are in the news, do your homework on them. Make sure you aren’t using the same systems — and if you are, that you are monitoring them efficiently.

Many organizations undervalue the importance of the code they deliver to a visitor’s browser. The look, feel, interactivity, color scheme, and font choice may all be heavily scrutinized to ensure optimal customer satisfaction and return on investment. But often what is shown in the browser is thought of as a presentation layer rather than a vital part of the web application itself.

Because client-side code is, in many cases, the core of the commerce engine the organization relies upon, it is essential to protect that code not only with the lock-and-key or whitelisting approach provided by CSP, but also robust, next-generation solutions which provide granular control over third parties and truly extend website security to the client side.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Keys to Hiring Cybersecurity Pros When Certification Can’t Help.”

Hadar brings more than 15 years of varied executive experience, leading teams and developing multiple out of the box solutions. Formerly Chief Solution Architect at LivePerson global sales and alliances team, Hadar’s can-do approach helped to close contracts worth millions of … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/why-csp-isnt-enough-to-stop-magecart-like-attacks/a/d-id/1337226?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

library
crime | hacking | security

Microsoft has emitted more than 100 fixes in its March batch of security updates.

The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild.

One particularly nasty remote-code execution hole revealed this week lies within SMBv3. “An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” says Microsoft. There is no patch available for this right now other than to disable SMBv3 compression for servers. There is no workaround nor patch for clients right now.

Microsoft is aware of a RCE vulnerability in the way that the SMBv3 protocol handles certain requests. If you wish to be notified when updates for this vulnerability are available, please follow the guidance in the advisory linked here: https://t.co/x5Z658xQ6t

— Security Response (@msftsecresponse) March 10, 2020

Among the other critical alerts, for which patches are actually available, is CVE-2020-0852, a remote code execution flaw in Word.

As Dustin Childs of the Zero Day Initiative notes, such high-risk flaws are rare for Office apps like Word that are typically shielded from remote code risks because they do not automatically load documents.

“Most code execution bugs in Office products require a user to open a specially crafted file and are thus Important in severity. This Critical-rated Word bug requires no such user interaction,” explained Childs.

“Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user.”

Four other remote code execution flaws were also patched in Word this month, though none are considered as severe as CVE-2020-0852. Also raising eyebrows was CVE-2020-0905, a flaw that allows for the injection of shell commands in Dynamics Business Central.

“Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution,” notes Childs.

“Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly.”

As is often the case, Microsoft’s browsers accounted for the vast majority of this month’s critical updates. Remote code flaws in the scripting engine, VBscript, Media Foundation, and Edge/IE themselves added up to 19 critical flaws.

The Graphics Device Interface (GDI) was patched for two bugs (CVE-2020-0881, CVE-2020-0883), both allowing for remote code execution.

Azure DevOps was on the receiving end of three patches, two for elevation of privilege bugs (CVE-2020-0758, CVE-2020-0815) and one cross-site-scripting flaw (CVE-2020-0700).

Microsoft Defender had two elevation of privilege vulnerabilities (CVE-2020-0762, CVE-2020-0763) while SharePoint was patched for four cross-site scripting flaws (CVE-2020-0893, CVE-2020-0894, CVE-2020-0795, CVE-2020-0891.)

SAP warns of major flaws

Enterprise giant SAP has dropped a number of fixes for high-severity issues, with four bulletins for flaws with CVSS ratings of 9 or higher.

Among those are two missing authentication checks in Solution Manager, a path manipulation vulnerability in NetWeaver, and an update for Chromium browser components in Business Client.

Also patched was a remote code execution flaw in Business Objects, a missing authorization check in Disclosure Management, denial of service in BusinessObjects Mobile, and a SQL injection flaw in SAP Max.

All quiet from Adobe

One name notably absent this month is Adobe. It seems Flash, Reader, Acrobat, Creative Cloud, and the other offerings from the multimedia giant are all free of major security flaws this month, though we may very well see patches posted later this month. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/patch_tuesday_march_smbv3/

Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that

library
crime | hacking | security

Google has stopped claiming that an identifier it uses internally to track experimental features and variations in its Chrome browser contains no personally identifiable information.

In February, Arnaud Granal, a software developer who works on a Chromium-based browser called Kiwi, claimed the X-client-data header, which Chrome sends to Google when a Google webpage has been requested, represents a unique identifier that can be used to track people across the web. As such, it could run afoul of Europe’s tough privacy regulations.

When The Register reported these claims, Google insisted the X-client-data header includes information about the variation of Chrome being used, rather than a unique fingerprint. “It is not used to identify or track individual users,” the ad giant said.

The Register has no reason to believe the X-client-data header was ever used to track and identify people across websites – Google has better ways of doing that. Concern about the identifier has more to do with insufficient disclosure, inaccurate description, legal compliance, and the possibility that it might be abused for identifiable tracking.

The specific language appeared in the Google Chrome Privacy Whitepaper, a document the company maintains to explain the data Chrome provides to Google and third-parties.

Last month, Google’s paper said, “This Chrome-Variations header (X-client-data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.”

That language is no longer present in the latest version of the paper, published March 5, 2020.

Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth

Asked why the change was made, a Google spokesperson said only, “The Chrome white paper is regularly updated as part of the Chrome stable release process.”

In place of the old language, seen in this diff image, is a slightly more detailed explanation of the X-client-data header, which comes in two variations, a low-entropy (13-bit) version that ranges from 0-7999 and a high-entropy version, which is what most Chrome users will send if they have not disabled usage statistic reporting.

The Register asked whether the change was made to avoid liability under Europe’s GDPR for claiming incorrectly that the X-client-data header contained no information that could be used to personally identify the associated Chrome user. But Google’s spokesperson didn’t address that question.

In an email to The Register, Granal said, “Knowing a bit the inner-workings on both sides (including Google’s lawyers), this is certainly a sensitive issue and it can be costly to Google if the issue is not addressed properly.

“As a user, in the current state, it’s important to understand that no matter if you use a proxy, a VPN, or even Tor (with Google Chrome), Google (including DoubleClick) may be able to identify you using this X-Client-Data. Do you want Google to be able to recognize you even if you are not logged-in to your account or behind a proxy? Personally, I am not comfortable with that, but each person has a different sensitivity with regards to privacy.

“I’m sure if you explain in simple words, to national data protection offices that Google can track your computer with a ‘permanent cookie’ they wouldn’t be happy with that at all.” ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/google_personally_identifiable_info/

Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance

library
crime | hacking | security

Computer security researchers involved in the discovery of the Meltdown and Spectre vulnerabilities affecting many modern processors have developed a related attack technique called Load Value Injection (LVI).

The attack relies on microarchitectural data leakage to inject and execute malicious code in a way that breaks the confidentiality of modern Intel systems.

Chipzilla’s processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x.

That’s because LVI protection involves compiler and assembler updates that insert extra x86 instructions (lfence) and replace problematic instructions (such as ret) with functionally equivalent but more verbose instruction sequences.

In a paper scheduled to be published today, March 10, in a coordinated disclosure announcement with Intel, boffins from KU Leuven, Worcester Polytechnic Institute, Graz University of Technology, University of Michigan, and University of Adelaide, describe LVI as a reverse-Meltdown attack. Instead of leaking data from memory, it injects transient load values during a faulting or assisted load operation to perform some malicious action.

Using Spectre-style code gadgets – pre-existing code patterns in memory that can be manipulated to perform operations for the attacker – LVI can expose secrets and compromise Intel’s SGX secure enclave technology. SGX, in fact, makes the attack easier because the tech’s design allows attackers to create page faults for enclave memory loads by altering untrusted page tables.

Jo Van Bulck (KU Leuven) discovered and reported the issue on April 4, 2019, and worked with Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, and Frank Piessens to develop and refine the technique.

In February 2020, shortly before planned disclosure, Bitdefender security researchers Andrei Lutas and Dan Lutas independently came up with a proof-of-concept for one of several LVI variants called LVI-LFB, which applies to cross-process hyperthreading scenarios. Other LVI variants include LVI-NULL, LVI-L1D, LVI-FPU, and LVI-SB.

LVI, designated CVE-2020-0551 and Intel-SA-00334, is not a remote code execution threat; it’s dangerous mainly in multi-tenant environments such as enterprise workstations or servers in data centers. Intel considers it a medium (5.6) severity vulnerability.

AMD, boffins clash over chip data-leak claims: Side-channel holes revealed in decade of processors

The threat scenario involves a local adversary trying to obtain secrets (like passwords or encryption keys) from an operating system kernel, an OS process, or an SGX enclave. For SGX, root OS privileges are assumed – SGX was designed to protect against root-level attacks. With such secrets, more extensive compromise becomes possible.

It turns out that Meltdown, a technique for pulling data from a computer’s memory, can be turned around to put data back in, thereby poisoning data stored in memory during brief, speculative operations. Though the data gets thrown away after these short-lived tasks, it can still cause trouble.

While LVI utilizes code gadgets cherry-picked from memory, just like Spectre-style branch prediction hijacking, it differs in that it’s more broadly applicable. It doesn’t require mistraining a branch predictor (so it works on CPUs without prediction components and on systems that have current microcode and compiler defenses) and it hijacks control-flow after the target machine tries to fetch a branch-target from memory instead of beforehand.

“Our key contribution is to recognize that, under certain adversarial conditions, unintended microarchitectural leakage can also be inverted to inject incorrect data into the victim’s transient execution,” the paper explains. “Being essentially a ‘reverse Meltdown’-type attack, LVI abuses that a faulting or assisted load instruction executed within a victim domain does not always yield the expected result, but may instead transiently forward dummy values or (attacker-controlled) data from various microarchitectural buffers.”

A video posted to YouTube by one of the researchers, Daniel Gruss (Graz University of Technology), offers a demonstration:

Youtube Video

In a technical analysis Intel intends to publish on Tuesday alongside a blog post, the chipmaker explains that, in some processors, faulting or assisting load instructions may receive speculative data from a processor buffer.

“If an adversary can cause a specified victim load to fault, assist, or abort, the adversary may be able to select the data to have forwarded to dependent operations by the faulting/assisting/aborting load,” Intel’s technical paper explains.

“For certain code sequences, those dependent operations may create a covert channel with data of interest to the adversary. The adversary may then be able to infer the data’s value through analyzing the covert channel. This transient execution attack is called Load Value Injection (LVI) and is an example of a cross-domain transient execution attack.”

Intel insists this isn’t really a matter of concern in non-SGX environments. In a statement emailed to The Register, a spokesperson said: “Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted.”

The researchers in their paper make clear the chip maker isn’t quite so blasé about the risks where SGX comes into play: “Intel considers LVI particularly severe for SGX…”

“We agree with Intel’s assessment that LVI is less practical and more difficult to mount in a non-SGX setting where the operating system and VMM are trusted,” said Van Bulck in an email to The Register. “But LVI has definitely real-world impact for SGX, which is why we engaged in an extended responsible disclosure embargo.”

Bogdan Botezatu, director of threat research for Bitdefender, didn’t sound particularly worried in an email to The Register.

“Just like Meltdown, Spectre, the MSD attacks and the SWAPGS attack discovered in the past, the LVI-LFB attack once again defeats security boundaries enforced at the silicone level,” Botezatu said.

“The attack itself is moderately complex to execute and we’re not expecting it to be widely spread against consumers, it is a very good avenue into multi-tenant environments such as public cloud infrastructures, endpoints in the enterprise or other workloads that are shared amongst clients. Because this means of exploiting the CPU leaves no forensic evidence behind, it could be used in high-profile state- or corporate-espionage campaigns, for instance.”

There’s no microcode update planned, as there was with Meltdown and Spectre. But Chipzilla is releasing updates to its SGX Platform Software and SDK. It has also worked with partners like Microsoft to make compiler and assembler options available to guard against LVI.

Defending against LVI, the researchers’ paper explains, “requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction.”

And that’s what Intel suggests, ensuring that a lfence instruction gets executed after each instruction that performs a load operation. It’s making a patched GNU assembler available with lfence insertion baked in; and it’s helping develop an extension for the clang compiler (part of LLVM) that will do the same. Also, Microsoft is planning to modify its Visual C/C++ compiler to add the lfence instruction if needed.

The compiler changes include special support for modifying instruction sequences that combine a load operation with dependent memory access or branch operation. The ret instruction, for example will get replaced with:

POP scratch register
LFENCE       # Forces the pop to retire
JMP scratch register

Due to lack of information about registers, assemblers produce slight different output:

NOT QWORD PTR [rsp]
NOT QWORD PTR [rsp]
LFENCE
RET

Depending upon the applications and optimizations involved, the researchers report performance overhead increases ranging from 2x to 19x when full mitigation is implemented.

Asked whether it agreed with the researchers’ estimate, Intel did not respond. Intel’s technical paper avoids specific figures, saying only that the performance impact of full mitigation in an SGX environment “will vary depending on workload but may be significant in some cases.” The paper goes on to suggest that if the impact is too much and their threat model allows it, software vendors may want to deploy only partial mitigations.

Van Bulck said he and his fellow boffins have only demonstrated LVI on Intel processors. In principle, he said, any CPU affected by Meltdown would also be affected by LVI, but he emphasized that Intel chips are particularly vulnerable for two reasons.

One, he said, is that Meltdown-type leakages, including Foreshadow, ZombieLoad, Fallout, and RIDL, mainly affected Intel. The other is that LVI requires inducing faults in a victim program and this is trivial with SGX but more difficult with other Trusted Execution Environments like Arm TrustZone.

“We believe that none of the ingredients for LVI are exclusive to Intel processors,” Van Bulck explained. “However, LVI turns out to be most practically exploitable on Intel processors because of the combination of the facts that we have seen more Meltdown-type leakage sources there that can potentially be inverted, plus certain design decisions that are specific to the Intel SGX architecture (i.e. untrusted page tables).”

That said, Arm and IBM have been notified of the findings, as has Microsoft, which is said to be investigating whether LVI has implications for the Windows kernel.

“We consider non-SGX LVI attacks of mainly academic interest and we agree with Intel’s current assessment to not deploy extra mitigations for non-SGX environments, but we encourage future research to further investigate LVI in non-SGX environments,” said Van Bulck. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/10/lvi_intel_cpu_attack/

That LVI CPU hole wasn’t the only Intel fix: Dozens of flaws patched to stop chips turning into potatoes

library
crime | hacking | security

Intel has posted a fresh crop of firmware updates for security flaws in its chipsets.

The March fix bundle includes nine advisories covering processors, FPGAs, and other components, as well as the high-profile Meltdown-style LVI hole.

Among the most expansive is the advisory for Intel graphics drivers. In total, 17 CVE-listed bugs were patched, ranging from elevation-of-privilege and denial-of-service to information-disclosure flaws.

The FPGA PAC N-3000 card has received an update for two CVE-listed flaws, one allowing elevation-of-privilege for an attacker and another allowing for denial-of-service.

A single flaw in the Optane DC Persistent Memory Management Software could potentially allow for elevation of privilege or a denial of service.

‘Unfixable’ boot ROM security flaw in millions of Intel chips could spell ‘utter chaos’ for DRM, file encryption, etc

An information-disclosure flaw in data forwarding for Intel processors prompted an advisory and firmware update, as did the already disclosed LVI design flaw.

Intel NUC mini-computers got an update for an escalation of privilege bug rated as a “high” risk.

Those using the Intel Max 10 FPGA hardware will want to enable JTAG Secure Mode to guard against an information disclosure vulnerability.

Intel’s BlueZ Bluetooth component has been updated with a fix for a high-risk flaw that would potentially allow information disclosure or denial of service attacks.

SmartSound, a component in both the 10th and 8th generation Intel CPUs, has received a patch for a flaw that would allow an unauthenticated user to elevate privileges and move through a target system.

Users and admins are advised to test and install any of the needed Intel updates as soon as possible. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/intel_march_2020_patches/

Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – and yes, we mean security fixes

library
crime | hacking | security

Microsoft has emitted more than 100 fixes in its March batch of security updates.

The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild.

Among the critical updates is CVE-2020-0852, a remote code execution flaw in Word.

“Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user.”

Four other remote code execution flaws were also patched in Word this month, though none are considered as severe as CVE-2020-0852.

Also raising eyebrows was CVE-2020-0905, a flaw that allows for the injection of shell commands in Dynamics Business Central.

“Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly.”

The Graphics Device Interface (GDI) was patched for two bugs (CVE-2020-0881, CVE-2020-0883.), both allowing for remote code execution.

Azure DevOps was on the receiving end of three patches, two for elevation of privilege bugs (CVE-2020-0758, CVE-2020-0815) and one cross-site-scripting flaw (CVE-2020-0700.

Microsoft Defender had two elevation of privilege vulnerabilities (CVE-2020-0762, CVE-2020-0763,) while SharePoint was patched for four cross-site scripting flaws (CVE-2020-0893, CVE-2020-0894, CVE-2020-0795, CVE-2020-0891.)

SAP warns of major flaws

Enterprise giant SAP has dropped a number of fixes for high-severity issues, with four bulletins for flaws with CVSS ratings of 9 or higher.

Among those are two missing authentication checks in Solution Manager, a path manipulation vulnerability in NetWeaver, and an update for Chromium browser components in Business Client.

All quiet from Adobe

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/patch_tuesday_march/

Researchers Develop New Side-Channel Attacks on Intel CPUs

library
crime | hacking | security

Load Value Injection (LVI) takes advantage of speculative execution processes just like Meltdown and Spectre, say security researchers from Bitdefender and several universities.

Security researchers have discovered yet another way that attackers can take advantage of a performance optimization technique in modern CPUs called speculative execution in order to steal encryption keys, passwords, and other information from a targeted system.

The vulnerability affects all Intel CPUs in servers, desktops, and laptops manufactured between 2012 and 2020 including the ninth generation of Intel CPUs. Also affected is Intel Software Guard Extensions (SGX), a newer technology in which certain data on Intel processors is protected in so-called enclaves. However, attacks leveraging the vulnerability are believed to be difficult to pull off and likely only within the reach of a nation-state threat actor.

Security researchers at Bitdefender are among those who discovered the issue and reported it to Intel on February 10. In a paper this week, the researchers described a proof-of-concept exploit for the vulnerability that is similar to the side-channel attacks leveraging the infamous Spectre and Meltdown vulnerabilities uncovered in Intel CPUs two years ago. Those attacks, too, leveraged weaknesses in the speculative execution process on Intel processors and on CPUs from other vendors, including AMD.

Bitdefender is not the first to discover the latest vulnerability. Earlier, researchers from several universities independently discovered and reported the same issue to Intel last April. They, too, released a report and proof-of-concept code describing the issue on Tuesday.

Intel has released new mitigation guidance and tools for the vulnerability, which allows for so-called load value injection (LVI) attacks. The chipmaker said the new measures should work with existing mitigations for Spectre and Meltdown in reducing the overall attack surface related to LVI.

Bogdan Botezatu, director of threat research at Bitdefender, describes the vulnerability as residing in the way Intel processors make use of speculative execution, a technique in which CPUs perform operations that are not yet needed so the results are readily available when needed. While the approach improves computing performance, the speculation can leave traces in the processor’s cache or buffers, which attackers can use to leak privileged, kernel memory, Botezatu says.

The LVI technique allows an adversary to inject rogue values in certain micro-architectural structures called buffers that are then used by the victim during speculative execution. “It lets an attacker influence Intel hardware-level functionality to leak data,” Botezatu says. “In simple terms, it can allow a malicious actor with access to a shared infrastructure, such as public cloud providers or other shared enterprise environments, to leak data that they otherwise would not have access to.” A less-privileged tenant in such an environment would be able to leak sensitive information from a more privileged user or from a different virtualized environment.

According to Botezatu, the attack can work across all security boundaries: process-to-process, user mode to kernel mode, guest mode to root mode, and potentially even from user mode to the SGX enclave. An attacker would need either local access to the vulnerable system or would need to trick the user into opening a web page that uses malicious JavaScript to perform the attack. “In theory, this attack could potentially be executed without local access to infrastructure, but we have not tested its reliability yet,” Botezatu says.

Shades of Spectre and Meltdown
LVI attacks are similar to others involving speculative execution — such as Meltdown, Spectre, and microarchitectural data sampling (MDS) hardware vulnerabilities in Intel CPUs. But the way in which LVI works is different from the previous attacks, he notes.

Meanwhile, in their paper on LVI attacks, the academic researchers described a proof of concept they have developed that targets Intel SGX enclaves. According to these researchers, LVI primarily applies only to Intel processors with SGX technology, though Bitdefender’s research described it as affecting a broader set of CPUs.

“LVI bypasses all existing mitigations against transient-execution attacks,” such as Meltdown and Spectre, according to the researchers. “Any processor that is vulnerable to Meltdown-type data leakage would also be vulnerable to LVI-style data injection.”

But the fixes that Intel has released for addressing those previous vulnerabilities do not work against LVI. In addition to the previous mitigations and complier patches, LVI also necessitates specific updates to assist SGX application developers to update their enclave code, the researchers said.

In its statement, Intel said it would release updates to the SGX Platform Software and SDK starting today. “The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers,” the chipmaker said. “Intel has likewise worked with our industry partners to make application compiler options available.”

But the company insisted that “numerous, complex requirements” that need to be met in order to implement LVI successfully makes it an impractical exploit in real-world situations where the operating system and the virtual machine manager are trusted.

Botezatu too says LVI attacks are not especially easy to pull off because several prerequisites need to be met first. It’s only a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group, that’s likely to have the ability to exploit the issue, he concedes. Even so, once orchestrated, “this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems,” he says.

According to Botezatu, no patches are currently available from Intel for the kind of attack that Bitdefender demonstrated via its proof-of-concept code. But when patches for microcode, operating system, and hypervisors do become available, organizations should apply them as soon as possible.

“Side-channel attacks against modern processors have become the new normal, and organizations have very few options to defend against them,” Botezatu says. “CPU vendors have to invest in serious efforts to develop mitigations to plug these vulnerabilities.”

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/researchers-develop-new-side-channel-attacks-on-intel-cpus/d/d-id/1337287?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You only LVI twice: Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling flaw will cost you 50%+ of performance

library
crime | hacking | security

The attack relies on microarchitectural data leakage to inject and execute malicious code in a way that breaks the confidentiality of modern Intel systems.

In a paper scheduled to be published today, March 10, in a coordinated disclosure announcement with Intel, boffins from KU Leuven, Worcester Polytechnic Institute, Graz University of Technology, University of Michigan, University of Adelaide, and Graz University of Technology describe LVI as a reverse-Meltdown attack. Instead of leaking data from memory, it injects transient load values during a faulting or assisted load operation to perform some malicious action.

AMD, boffins clash over chip data-leak claims: Side-channel holes revealed in decade of processors

A video posted to YouTube by one of the researchers, Daniel Gruss (Graz University of Technology), offers a demonstration:

Youtube Video

The researchers in their paper make clear the chip maker isn’t quite so blasé about the risks where SGX comes into play: “Intel considers LVI particularly severe for SGX…”

Bogdan Botezatu, director of threat research for Bitdefender, didn’t sound particularly worried in an email to The Register.

POP scratch register
LFENCE       # Forces the pop to retire
JMP scratch register

Due to lack of information about registers, assemblers produce slight different output:

NOT QWORD PTR [rsp]
NOT QWORD PTR [rsp]
LFENCE
RET

Depending upon the applications and optimizations involved, the researchers report performance overhead increases ranging from 2x to 19x when full mitigation is implemented.

That said, Arm and IBM have been notified of the findings, as has Microsoft, which is said to be investigating whether LVI has implications for the Windows kernel.

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/10/lvi_reverse_meltdown_intel_attack/

California tech industry gets its first big coronavirus hit: RSA Conference attendee infected, in serious condition

library
crime | hacking | security

The deadly Wuhan coronavirus has reached California’s tech sector with the news that an engineer who attended the RSA Conference in San Francisco last month has now tested positive for COVID-19 – and is in a serious condition.

The 45-year-old employee of Exabeam attended the annual security meet-up between February 24 and 28, and began experiencing symptoms when he returned home to Connecticut, according to news reports.

The condition got worse this past week, and he was put into a medically induced coma. He is still under, and on a ventilator. He has an underlying heart condition, his wife said.

On Tuesday, NASA announced one of its employees at the Ames Research Center in Silicon Valley had also tested positive. “We believe the exposure at the center has been limited, but out of an abundance of caution Ames Research Center is temporarily on mandatory telework status with restricted access to the center until further notice,” the American space agency said.

The news has been greeted with a mixture of shock and inevitable resignation. Tech companies were among the first in the US to tell staff to work from home once it became clear the virus was stateside. Big names including Twitter, Facebook and Google have also cancelled large annual conferences in response.

The RSA Conference is significant with roughly 40,000 attendees. As we reported last month, attendance, we’re told by organizers, dropped by roughly 500 people – just over one per cent – after six of the nine Chinese companies scheduled to attend cancelled in response to the virus outbreak. They were later joined by ATT Cybersecurity, IBM, and Verizon. Reg reporters also briefly attended.

Calm before the storm?

So far, the San Francisco Bay Area has been relatively lightly hit – at least according to official infection figures. At the time of writing, there are 154 confirmed cases in California, with 94 of them in the Bay Area. There are more than 10,000 Californians in self-quarantine.

But given the area’s strong ties to China and Asia, and the fact that there remains a severe shortage of testing kits, many are fearful that the virus has spread widely, and it is only a matter of time before the true picture is revealed.

Amazon staffer based just a stone’s throw away from Seattle HQ tests positive for Wuhan coronavirus

Most recently, San Francisco has become the focus on coronavirus fears after a cruise ship, the Grand Princess, was kept out at sea for several days after 21 people on board tested positive. More than 2,000 people were stuck on the ship, which was finally allowed to dock in Oakland – on the other side of the bay to San Francisco on Monday, despite complaints from President Trump that letting it dock would increase the stats on infected individuals in the US.

Among other big conferences cancelled today are two run by the International Telecommunication Union (ITU) in Geneva, Switzerland. It has postponed the upcoming World Information Society (WSIS) Forum (originally planned for April; now moved to September) and the AI for Good Global Summit (originally May; now September).

We have been on the lookout for tech-related conferences that are still going ahead, and found one this morning: the Wireless Internet Service Providers Association (WISPA) will still run its annual convention in Dallas, Texas, next week, expecting more than 1,000 attendees and exhibitors.

As opposed to the Californian tech industry, which has decided to listen to the warnings of health professionals over the bluster of politicians, Washington DC-based WISPA has taken a very Trumpian approach to the virus, blaming media coverage over biology and saying in a statement: “The WISP industry is a strong and resilient one. We’re dedicated and fearless. Attending WISPAMERICA sends a strong signal to others in the communications industry, policymakers and your communities that you will remain strong even in light of the day’s loud and oftentimes distracting news coverage and circumstances. The novel coronavirus is not to be sniffed at, but its risks are manageable – WISPs will not let these events paralyze their service to customers and the community at large.” ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/10/rsa_conference_coronavirus/

Paradise Ransomware Variant Hides in Office IQY Files

library
crime | hacking | security

The uncommon Internet Query file format lets attacks slip past defenses to effectively break into target networks.

Researchers have detected an attack campaign that leverages Internet Query files (IQY) to bypass enterprise defense systems and deliver a new variant of Paradise ransomware.

Paradise has been active since 2017; now, its operators are finding new ways to deliver the malware. IQY files are simple text files read by Microsoft Excel to download data from the Internet. It’s one of the lesser known weaponizable Microsoft Office file formats, Lastline researchers say. Most organizations won’t block or filter IQY because it’s a legitimate file type. Further, the files may not register as malware because there is no payload; just a URL.

The campaign is designed to trick users into opening an IQY attachment, which retrieves a malicious Excel formula from the attacker’s command-and-control server. This formula contains a command to run a PowerShell command, which downloads and deploys the ransomware. Lastline researchers were able to link the executable to the Paradise ransomware family.

Researchers don’t know which criminal group is responsible for this campaign; however, it is worth noting the ransomware checks to see if a machine’s language ID is Russian, Kazakh, Belarusian, Ukrainian, or Tatar. If one of these values is matched, the ransomware exits.