STE WILLIAMS

A security researcher has published a zero-day flaw in a commonly-used virtual machine management system without notifying the vendor, justifying it with a scathing critique of the infosecurity industry.

St Petersburg-based Sergey Zelenyuk dropped the bug, which affects Oracle’s VirtualBox software, on GitHub this week

We’re linking to the bug here because Zelenyuk provides a workaround, and attackers will be at an advantage if they see it and you don’t. The vulnerability lies in the way that default VirtualBox virtual machines treat network communications. The virtual network card lets an attacker with administrative privileges escape to the host operating system.

To exploit the flaw, an attacker first turns off the E1000 virtual network card in the guest OS. They then load their own Linux kernel module (LKM), which is a piece of code that extends Linux’s functionality without having to reboot the system. This LKM, which contains the exploit code, starts its own E1000 virtual network card. The LKM then exploits a buffer overflow vulnerability in the virtual network card, which enables it to gain access to the host system. After that, the attacker can unload the LKM and restart the original E1000 virtual network card so that they can use the network again.

There are some caveats to this attack. The first is that the attacker must have escalated (administrative) privileges on the guest OS. As Zelenyuk points out, though, this is workable, as other exploits can escalate user privileges.

The other caveat is that the attack only gives the hacker access to what’s usually known as “userland” on the host computer, rathen that access to the host operating system itself.

Nevertheless, the ability to escape from a virtual machine (VM) to the host computer that’s in charge of the VM has serious consequences – especially if the host is running VMs on behalf of a bunch of different users.

The VirtualBox bug is notable in its own right, but equally interesting is Zelenyuk’s approach. Although he didn’t publish an actual proof of concept executable, he provided extensive details of the exploit without telling Oracle first – a blurt-it-out-publicly approach known as full disclosure.

These days, full disclosure is widely frowned upon in cybersecurity circles, with many researchers following a gentler approach known as responsible disclosure, telling the vendor first and giving them time to fix it.

The researcher said:

I like VirtualBox and it has nothing to do with why I published a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:

1. Wait half a year until a vulnerability is patched is considered fine.

In point two, he claims that bug bounty programs take too long to verify vulnerabilities, change their minds, and don’t provide enough information about the types of vulnerabilities they are interested in or how much they are willing to pay.

Finally, he goes on a hyperbolic rant about the industry in general:

Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself “a world saviour”. Come down, Your Highness.

We asked Oracle, which wouldn’t comment, but instead directed us to its disclosure policies, which say that for a researcher to be credited, “they must follow responsible disclosure practices”. One of these is:

They do not publish the vulnerability prior to Oracle releasing a fix for it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d3f2SxbInrc/

The man accused over DDoS-bombing several online games hosts in 2013 and 2014 has entered a guilty plea under a deal with US authorities.

According to the US Attorney’s Office, District of California, part of the “DerpTrolling” plea deal cut by 23-year-old Austin Thompson of Utah involved him admitting to causing $95,000 worth of damage.

As we reported in 2014, the DerpTrolling DDoS attacks hit Steam, EA Origin, and Sony Online Entertainment between December 2013 and January 2014.

At the time, in the absence of anything other than Twitter announcements, it was assumed that DerpTrolling was a group, but the Department of Justice media statement attributes the attacks to Thompson alone:

Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted screenshots or other photos showing that victims’ servers had been taken down after the attack. The attacks took down game servers and related computers around the world, often for hours at a time.

Shortly after the attacks, “white hat hackers” on Twitter doxxed Thompson (for example, recorded here by Wayback), but there’s nothing to link this to his arrest.

The maximum penalty for the charge of “Damage to a Protected Computer” is 10 years in prison with three years supervised release, and a fine of $250,000.

Thompson will be sentenced on 1 March 2019. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/08/derptroll_pleads_guilty_to_ddos_attacks/

Cisco this week patched critical vulnerabilities in its switches, Stealthwatch, and Unity voice messaging system. Oh, and ‘fessed up that it accidentally shipped software that included in-house-developed exploit code for attacking Linux systems via the Dirty COW flaw.

The network giant also announced it has begun combing its products to identify any that might inherit the Apache Struts vulnerability patched this week. So far, that search hasn’t turned up any vulnerable products.

QA having a COW

If you’re in the mood for schadenfreude, this notice doesn’t get a CVE number, but reveals Cisco left Dirty COW exploit code in test scripts it shipped with its TelePresence Video Communication Server software.

Dirty COW explained: Get a moooo-ve on and patch Linux root hole

READ MORE

Cisco blamed the blunder on internal quality control: the code exists to make sure software is patched against known exploits, and someone neglected to remove it before shipping.

The bundled exploit doesn’t open up TelePresence to attack, and new software images without the attack code are available.

Cheeky root account

Thor Simon, of Two Sigma Investments, probably needed a stiff drink when he realised his Cisco Small Business Switch had an undocumented admin account. He reported the flaw to Cisco, which labelled it CVE-2018-15439. It affects the Small Business 200 Series, 250 Series, 300 Series, 350 Series, 350X Series, 500 Series and 500X Series switches.

Unless the admin creates a user account with top-level privilege (Privilege 15 in Cisco-speak), the undocumented root account will persist; and if someone deletes all users with Privilege 15, the switch will re-create the account. There’s no patch in the works, but the workaround is simple: create a Privilege 15 user.

Threat detected in threat detection kit

Stealthwatch is Cisco’s enterprise threat detection and forensics software, and it had an insecure system configuration that let a remote attacker bypass the management console authentication with “crafted HTTP packets”.

Designated CVE-2018-15394, the bug affected Stealthwatch Enterprise versions 6.10.2 and prior.

Are you Java a laugh?

If you drew “Java deserialisation bug” in the sweepstake, your number came up in Cisco Unity Express.

Cisco explained the impact of the insecure deserialisation this way: “An attacker could exploit this vulnerability by sending a malicious serialised Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.”

Unity Express versions prior to 9.0.6 were affected. If you can’t patch, Cisco’s post provided access control list rules that will shove malicious traffic over TCP port 1099. Cisco said the bug was found by pen-tester Joshua Graham.

And the rest

If you own a Cisco Meraki MR, MS, MX, Z1, and Z3, patch it against CVE-2018-0284, a bug in the local status page that gave an authenticated, remote attacker access to device configuration.

Cisco announced a further 11 bugs rated Medium and listed them here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/08/cisco_dirty_cow_exploit_code/

This day-long event for CISOs and execs will show you the way to next-level skills, strategies, and techniques that will bolster your relevance and wow the board.

Black Hat organizers are excited to announce that the popular Executive Summit will return to Black Hat Europe in London next month!

The Black Hat Executive Summit made its debut last year as an exclusive opportunity for CISOs and other cybersecurity executives to learn about next generation information security strategy from a variety of industry experts.

In order to create an open and candid environment that promotes the sharing of ideas, thoughts, and discussion, the Executive Summit follows Chatham House Rule; neither media nor event coverage is permitted.

This day-long summit was designed specifically for executive security practitioners. It offers a unique venue where they can discuss the pressing issues of the day with their peers and security industry luminaries, and still have plenty of time for breaks, lunch, and convivial networking.

For example, after a keynote from AXA UK CISO Michael Colao and a data-driven update on the state of the cybersecurity landscape from Dark Reading Editor in Chief Timothy Wilson, Netflix’s Jimmy Sanders will discuss the benefits and challenges of baking security into your organization by adopting DevSecOps protocols.

Later in the day Andy Jones (the former Maersk CISO) will present an update on life after NotPetya, the infamous Petya malware variant which broke out of the Ukraine in 2017. As the CISO for Maersk Line last year, Jones worked through what was arguably one of the most disruptive cyberattacks in history. Now, as a researcher with the Information Security Forum, he’ll draw on his experience and that of over 400 global organizations to pose and answer the question: What have we learned?

Also, best-selling author and 20-year cybersecurity veteran Jane Frankland will be speaking about the shortage of skilled practitioners in the industry today, how to understand the ways in which that shortage is caused by a lack of diversity and how we, as an industry, can overcome it to better thwart the threats of today — and tomorrow.

This is what the Executive Summit is all about: outlining the next-level skills, strategies, and techniques CISOs need to bolster their relevance and wow the board. It’s also a premier place to meet and learn from the leading lights of the industry. If you’re invited, make sure to leave time in your schedule for the special networking reception held to close out the Summit at The Excel in London.

For CISOs and executives looking to transform from a mere manager of information into a corporate champion of business growth, it’s imperative to stay on top of the latest insight. That journey begins at the Black Hat Executive Summit!

Black Hat Europe returns to The Excel in London December 3-6, 2018. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/the-executive-summit-returns-to-black-hat-europe-2018/d/d-id/1333209?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

What sets apart the largest and most innovative software engineering organizations? These five approaches are a good way to start, and they won’t break the bank.

Technology powerhouses such as Google, Microsoft, and Apple know how to get security right. They invest in the best technology, processes, and people to ensure that their engineering teams create secure software.

They’re open about their methods for product security engineering. For example, Michal Zalewski, previously head of product security at Google and now VP of security at Snap, has a fascinating blog post with thoughts on how to manage a product security team. The Microsoft Security Response Center has a blog where team members regularly share ideas on how to improve security.

What sets apart the largest and most innovative software engineering organizations? Here are five approaches for changing your security practices and improving your security mindset and posture. These don’t require investments akin to those made by technology giants.

Safer APIs to Prevent Vulnerabilities
Prevention is better than a cure, and ideally you make certain common mistakes impossible. For instance, common cross-site scripting vulnerabilities can be avoided by judicious use of automatic context-aware escaping. Similarly, the notorious problem of SQL injection can be avoided if you give up the ability to run arbitrary string data as queries on a database; instead, you should use a restricted API that builds up the queries in a structured manner — for instance, as prepared statements.

Catch Vulnerabilities at Time Zero
Mistakes will happen, even with perfectly designed, safe APIs. It’s important, therefore, to continuously run analyses that catch mistakes that slipped through. The perfect point to do that is at code review time: close enough to time zero so that the developer’s focus is still with the relevant code change, and yet with a time budget to run deep analysis. This article by the Google code analysis team explains the prerequisites for success. As the team points out, it’s critical that the creation of new analyses can be crowdsourced, with everyone chipping in to define what good, secure coding standards are, and updating the analyses when new classes of vulnerabilities are identified.

Red Teams and Pen Testers to Identify New Blind Spots
To identify your blind spots, use internal red teams to do penetration testing or hire an outside company to attack your systems. It’s an investment, but it can catch problems that are hard to detect mechanically. Bug bounty programs, such as those administered by BugCrowd and HackerOne, can be effective to find your blind spots. However, it’s a waste of money if you don’t implement the cheaper, automated means to first fill the more obvious holes. In fact, advances in artificial intelligence make it possible to apply some of the fuzzing techniques that professional pen testers employ, but automatically — the Microsoft Security Risk Detection service is an example. When pen testers or automated fuzzers find new blind spots, eliminate them by creating new code analyses, as described in the previous paragraph.

Make It Very Hard to Exploit Vulnerabilities
You’re not going to stop all vulnerabilities entering the source code, so you must be prepared for the worst, making sure that even while vulnerabilities are there, they’re extremely hard to exploit. One area under heavy development is that of moving target defense: randomizing heap layout (or code layout) so that attackers have a hard time figuring out how to exploit weaknesses in the code. Address space layout randomization, known as ASLR, is used as additional protection in Windows and Android, for example.

Organizational Structure: The Product Security Team
So far, we’ve looked at technical remedies, but organizational structure is important too, as argued in the blog post by Michal Zalewski mentioned earlier. A common theme at the best software companies is that there is no strict separation between security and engineering: The two are working together, always looking for opportunities to automate security expertise and integrate it into the developer workflow. For example, in the recent news that Facebook’s security chief Alex Stamos resigned, The New York Times quoted an internal memo stating that the security team would no longer operate as a stand-alone entity but instead work more closely with product and engineering teams.

This trend has a name: the product security team. Typically, this team lives in the engineering organization, with a dotted line to the CISO, if that function exists. The CISO looks after IT security much more generally, while the product security team takes responsibility just for the products being developed internally.

The consequences of not moving product security into engineering can be very bad: Security teams simply report on problems and the dev team is pushed to deliver on new features instead of security and ignores the reports by the security team. Security teams are given incentive to report as many problems as possible (covering their butts in case of a breach), yet developers don’t have time to look at all these reports because many of them are not real bugs but false positives. This separation is the old way, and it has been discredited.

True product security can only be achieved when all developers take responsibility for the security of the code that they write. The product security team’s job is to give developers the knowledge and tools to do just that.

There is no standard playbook for how these important tech companies handle security, but they are sharing their tried-and-true methods with the community — something every company successful at security should do. As an industry, we need to think of security as an ecosystem, and sharing best practices is the best way to individually and collectively improve.

What sets apart the largest and most innovative software engineering organizations? These five approaches are a good way to start, and they won’t break the bank.

Related Content:

• 10 Free DevOps-Friendly Security Tools Developers Will Love
• Not Every Security Flaw Is Created Equal
• AppSec Is Dead, but Software Security Is Alive Well
• Tackling Supply Chain Threats

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Oege de Moor is the CEO and Co-Founder of Semmle. Prior to founding Semmle, he spent 21 years as a Professor of Computer Science at Oxford. During a sabbatical from Oxford, he joined Microsoft as a Visiting Researcher, working with Charles Simonyi (the original creator of … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/5-things-the-most-secure-software-companies-do-(and-how-you-can-be-like-them)/a/d-id/1333204?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This week’s hijacking of StatCounter’s JavaScript to swipe Bitcoins from a crypto-coin exchange was the result of a web cache poisoning attack, apparently.

The cyber-heist, in which a malicious snippet of JavaScript code was inserted into StatCounter’s tracking script, which websites embed in their pages to monitor visitor traffic, was part of a larger attempt by hackers to intercept and redirect Bitcoin transactions taking place on the Gate.io cryptocurrency exchange.

Fortunately, security sleuths at ESET were able to clock the nasty JS being served from statcounter.com, and reported the caper.Both StatCounter and Gate.io took measures to shut down the attack soon thereafter. Gate.io said that no coins were actually stolen.

But how was the attack possible? StatCounter told The Register that, rather than its servers being directly compromised to sling out bad JS on Gate.io, miscreants poisoned one of its tracking scripts served via its content distribution network, Cloudflare.

This resulted in websites embedding StatCounter code to pull the booby-trapped script from Cloudflare.

What normally happens is this: a website sets up Cloudflare as a cache so that when visitors hit the site, they fetch from the Cloudflare cache instead. This relieves pressure on the website’s servers, and makes Cloudflare take the load. But in order to work, the cache has to reach out to the site’s servers for copies of pages when they are first requested by visitors, and keeps a copy of these files to serve to subsequent requests.

It’s possible to craft requests to the cache such that malicious files are fetched from another server, and not the legit website server, and are stored in the cache so that subsequent requests from visitors fetch the poisoned files from the cache. This is possible using techniques like changing the X-Forwarded-Host header in the HTTP(S) request to pull into the cache an infected file from an evil server.

Cloudflare has been warning of this attack vector for months, but apparently StatCounter had not properly configured their servers and settings to keep an attacker from taking advantage of this weakness.

Internet be nimble, internet be QUIC, Cloudflare shows off new networking shtick

READ MORE

While StatCounter said it has since shored up its defenses, and removed the compromised code from the cache, the metrics firm is already down at least one customer:

“Following suspicious activity, we have stopped using StatCounter’s services,” Gate.io told The Register. “No user funds have been removed and we have not seen any irregularities on our platform.”

Cloudflare, meanwhile, kept its statement on the matter brief.

“We do not comment on customer configurations,” a spokesperson tells El Reg. “We have no evidence of a compromise in our infrastructure.”

So there you have it, a potentially catastrophic financial attack appears to have largely been averted and, aside from some lost business for StatCounter, an important lesson was learned with relatively little pain.

Now, go and make sure you have locked down your own cache servers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/08/statcounter_cache_poisoning/

Once again, a hundred thousand or more home routers have been press-ganged into a spam-spewing botnet, this time via Universal Plug and Play (UPnP).

According to brainiacs from 360 Netlab, the malware exploits vulnerabilities in a Broadcom UPnP implementation to infect vulnerable gateways, and that means a load of router manufacturers are affected because their kit uses that technology.

Equipment built by Billion, D-Link, Linksys, Technicolor, TP-Link, ZTE, Zyxel, and Australian supplier NetComm, plus a bunch of devices supplied under ISP brands like CenturyLink and Australian ISP iiNet, are among the 116 device models identified as infected by the malware.

In this Wednesday advisory, Hui Wang and someone calling themselves RootKiter say the hijacked routers were spotted emitting spikes of network traffic to TCP port 5431 and UDP port 1900, used by Broadcom for UPnP. These gateways, infected with botnet malware, were effectively scanning the internet for other vulnerable devices to attack and infect.

The researchers noted that the sweeps are sporadic, but large-scale: “The scan activity picks up every 1-3 days. The number of active scanning IPs in each single event is about 100,000,” meaning about 100,000 commandeered boxes were up and running each time.

When those scans found a router powered by Broadcom’s chipset, with UPnP turned on, an attacker-controlled server would be instructed by the malware to automatically exploit the Broadcom bugs and infect the newly discovered gateway with the software nasty. Once in place on its latest victim, it would communicate with “well-known mail servers such as Outlook, Hotmail, Yahoo! Mail,” and others, which is why the researchers believe its masterminds have created a spam-spilling botnet.

UPnP joins the ‘just turn it off on consumer devices, already’ club

READ MORE

What the pair have dubbed BCMUPnP_Hunter checks to see if a fellow router is vulnerable, then passes its IP addresses to a command-and-control server at 109[.]248[.]9[.]17:8738. This then prods the router twice with shellcode, first to probe the memory layout of the system, and second to hijack the device using this gathered intelligence to form a customized exploit. Once injected and running on the device, the malware contacts 14 IP addresses operated by mail providers over TCP port 25.

The researchers say a Shodan search for the banner Server: Custom/1.0 UPnP/1.0 Proc/Ver revealed as many as 400,000 potentially vulnerable gizmos. They also provide in their advisory hashes and IP addresses of interest to detect the botnet’s activity on your own network.

UPnP has been targeted for years: Here’s a SANS diary entry from 2013 that briefly discusses port-scans, and in March this year, a comment to SANS reported a pattern similar to the scans that attracted 360 Netlabs’ attention:

Have been observing this for about 45 days now (since 02/08/2018). Traffic is very bursty – scanning occurs for just an hour or two and stops, then repeats every 3-4 days or so. I have also noticed an (oddly) fixed source port of port 6/tcp on the scan packets. Not sure of the intent – perhaps looking for Broadcom UPnP? But curious that the scanning starts and stops so abruptly from 10’s of thousands of source IPs. Feels botnet-like, but no evidence to support that.

It’s understood the exploited Broadcom UPnP flaw was discovered in 2013, yet years later, many devices remain unpatched despite fixes being developed, due to either users not applying updates or updates not being distributed. If in doubt, install the latest firmware for your router. Disabling UPnP completely isn’t such a bad idea, either. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/08/upnp_spam_botnet_broadcom/

Privacy International (PI) has filed complaints of “systematic infringements” of data protection law by seven info-sucking companies that it says find it too easy to fly under the radar.

In the civil rights group’s sight are data brokers Acxiom and Oracle, ad-tech firms Critero, Quantcast and Tapad, and credit referencing agencies Equifax and Experian.

PI said it wants European data protection watchdogs to launch probes into the seven companies, which it claimed exploit the data of millions of people without thorough criticism, to assess whether their practices meet the standards set in the General Data Protection Regulation.

The move comes as the data-slurping activities of tech giants like Facebook are under near-constant scrutiny from lawmakers across the world. Privacy International said the firms on its shit list, “despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged”.

Oracle might dispute its perceived lack of brand awareness.

The complaints are based on more than 50 Subject Access Requests and the information the companies provide on firms’ websites. And PI broadly argued that the way these companies use data – especially for profiling – contravenes the GDPR.

“GDPR sets clear limits on the abuse of personal data,” said legal officer Ailidh Callander. “PI’s complaints set out why we consider these companies’ practices are failing to meet the standard – yet we’ve only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”

The Information Commissioner’s Office said yesterday it had issued assessment notices – which allow the body to carry out compulsory audits – to data broker Acxiom, as well as credit reference agencies Experian and Equifax. Privacy International wants the ICO to widen the net.

“These companies’ processing activities are opaque and there is no direct relationship with individuals,” Privacy International said.

“They amass vast amounts of data about millions of individuals, repurpose these data to infer (profile) more data (accurate and inaccurate) about individuals, then share this data with a multitude of third parties for innumerable purposes.”

The group argued the data slurpers failed to comply with the data protection principles, set out in Article 5 of GDPR, of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy.

It added the seven don’t have a legal basis for the way they use people’s data. Under GDPR, there are six lawful bases for data processing, including the much-talked-about consent – but Privacy International said the firms can’t claim any of these.

“Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous.

“Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”

Further to this, the complaints said the slurpers lack a basis for processing sensitive personal data, which makes stricter requirements on data controllers, and claimed there were various obstacles stopping people from exercising their individual rights under under GDPR.

The group also noted that a number of the seven have had data breaches in the past – Equifax is still feeling the pressure of its 2017 breach in which hackers made off with records on 46 million people.

The Register asked the seven slurpers to comment. Oracle has refused to comment and we’ve yet to hear fom the others. ®

Big Red example – a deeper dive into PI’s complaint

Privacy International’s complaint about Oracle outlines particular concerns about the Oracle Data Cloud, which allows advertisers to personalise customer interactions, and aggregates and analyses that customer data.

People are put into segments – of which there are thousands, including interests like online dating; dieting and weight; politics – to help advertisers figure out what to push at them.

“The scale of Oracle’s processing activities, ‘more than 30,000 data attributes on two billion consumer profiles drawn from 1,500 data partners’, means that even though Oracle names data providers/partners it is extremely difficult to pinpoint the original source of the data,” PI noted.

“As a result, it is de facto impossible for data subjects to understand how data that they have provided at one place and time ends up in Oracle’s hands,” PI said. And without knowing where it came from, or what it is, it remains hard to figure out what has been inferred, and what the consequences might be.

On profiling – where information is derived, inferred or predicted to generate new data – PI said Oracle fails to offer sufficiently granular information, especially given the scale of its profiling activities.

PI also outlined various ways in which it believes Oracle’s reliance on consent and legitimate interests fall down, including the fact it relies on consent obtained by other data controllers further up the data supply chain.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/08/privacy_international_complaints_data_brokers_ad_tech/

While fraudsters traditionally prey on the gullible and feeble-minded, their wicked ways have ensnared British Labour MP Diane Abbott.

The Shadow Home Secretary admitted to handing over control of her computer to a stranger after a random caller asked her to install Remote PC. It’s a common scam. Once the miscreant has control of the PC, they often attempt to steal sensitive information like passwords and bank details.

Yes. Sadly I was initially taken in😢

— Diane Abbott (@HackneyAbbott) November 6, 2018

As Home Secretary – note that Ladbrokes offers 4-1 on Labour being the next government – Ms Abbott would be responsible for cybersecurity, as well as crime and policing. She would also have to decide whether the UK implements an identity card system, an idea currently being revived in the context of “digital government”.

We asked her office if Ms Abbott would consider helping to publicise the menace of PC Support fraud. Perhaps as its public face?

We haven’t yet heard a reply. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/08/abbott_pc_support_scam_confession/

A trio of new attacks bypass CPUs to wring data from vulnerable GPUs.

A new brand of side-channel vulnerabilities has been disclosed and this time it’s not the CPU that’s under attack: it’s the GPU.

New exploits published by computer scientists at the University of California, Riverside, leave both individual users and high-performance computing systems at potential risk. The three sets of exploits pull sensitive data out of a graphics processing unit core, and do so with relative ease, compared to some of the side-channel attacks that have been demonstrated on CPUs.

Two of the attacks target individual users, pulling information on website history and passwords. The third could open the door to an organization’s machine-learning or neural network applications, exposing details about their computational model to competitors.

The researchers’ paper, Rendered Insecure: GPU Side Channel Attacks are Practical, was presented at the ACM SIGSAC conference, and the vulnerabilities have been disclosed to Nvidia, Intel, and AMD.

The first two attacks take advantage of the cores in a GPU communicating in parallel to complete a workload. Knowing about that communication means that, “…if we coordinate it right then we achieve really high bandwidth so that we can block out noise,” says Nael Abu-Ghazaleh, professor of computer science and engineering, and of electrical and computer engineering at the university.

The basic attack technique works like this: “There is a victim process and then there’s somebody else was spying on it through leakage in the caches or other shared resources,” he says. The fact that all the cores share certain resources means that the attacker doesn’t have to figure out which core is running a particular thread, greatly simplifying the attack.

An attack on the API dealing with memory allocation for the GPU cores allows an attacker to ultimately figure out which websites have been visited in a process Abu-Ghazaleh describes as website “fingerprinting.” If the point of attack is memory allocation based on keystrokes entered by the user, then “with well-known attacks on timing you can actually figure out with high certainty what are the candidate passwords and quickly get to the point where you can crack the password,” he says.

Vulnerable Intelligence

The vulnerability that affects machine learning applications depends on understanding certain counters that are actually designed to make programming a GPU easier.

“Things can go really wrong when you’re writing GPU code because it’s very sensitive to memory access patterns and so on,” Abu-Ghazaleh says. “The counters are provided to give this insight, and they’re accessible from user mode,” he explains. If a spy process can watch these counters, it can gain incredible insight into the processes that are running.

In the attack, workloads are sent to the GPU concurrently with the victim workload in order to cause stress and the resulting update of the counters. Within the GPU, there can be more than 200 of these counters keeping track of various performance aspects, so the picture of what is happening can become quite clear.

Abu-Ghazaleh says that the ultimate danger of these attacks would be in a shared GPU-compute configuration, such as in a cloud-based machine learning environment. 

Turning off user mode access to the counters can defend against the third attack but would also break many existing applications that depend on the functionality. Nvidia has not yet released patches for the vulnerability, but Abu-Ghazaleh says that he understands patches to be in the works.

As of presstime, Nvidia had not responded to Dark Reading for comment.

Related Content:

• 7 Ways an Old Tool Still Teaches New Lessons About Web AppSec
• Teach Your AI Well: A Potential New Bottleneck for Cybersecurity
• The Difference Between Sandboxing, Honeypots Security Deception
• ‘PortSmash’ Brings New Side-Channel Attack to Intel Processors

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-side-channel-attacks-target-graphics-processing-units/d/d-id/1333226?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple