Security Roundup - 2018-01-04
CPU architecture vulnerabilities plague all. The big news this week is a series of vulnerabilities for many modern CPUs, including Intel (who fared the worst in the news), AMD, and ARM. The vulnerabilities allow malicious users to read memory they would not normally be able to, allowing them to do thinks like harvest passwords and encryption keys. Even worse, this breaks out of sandboxes such that an exploit on a virtual machine could read memory from other virtual machines on the same host. For those interested, you can now read the technical details.
Major hardware as a service providers like Google and Amazon have already suggested they have instituted corrections to their systems, while operating system providers have declared that patches to protect against these flaws are forthcoming. Microsoft has unfortunately discovered some problems with AV vendors and their proposed patch.
Mozilla has indicated that this type of attack is potentially possible from the browser and are implementing features to mitigate. Chrome already has additional sandboxing features that are labelled experimental, but that they plan to roll out in an upcoming major release.
2017 Breaches in review. Troy Hunt has done an annual retrospective of his 2017, which of course includes stats from HaveIBeenPwned.com. 2017 was pretty sad, with a 50% increase in the number of breaches from all breaches previous to 2017, and total number of records more than doubling from 2 billion to 4.8 billion.
Threat Modeling Tools for 2018. Does part of your job involve threat modeling? Then you may be interested in this post by Adam Shostack enumerating some interesting new threat modeling tools developed in 2017.
Hacker Q&A With EdOverflow. EdOverflow is the person behind the security.txt RFC to make a robots.txt equivalent for hacking targets and contact information. HackerOne has a Q&A with him about his background in security and his experience with bug bounty programs.
TLS 1.3 could improve IoT security. Cloudflare points out how TLS 1.2 adds a lot of overhead for communication, to the point where IoT protocols become much more heavy. However TLS 1.3 improves on this considerably, reducing the number of round trips to make TLS more palatable. Additionally, new algorithms use smaller, more secure keys, which allows for low memory devices to be more likely to use them.
Interesting defense against ATM skimmers. We love/are horrified by reading about ATM skimmers. This week’s story comes with a twist in that it is a defense against current ATM skimmer attacks. Many ATM skimmers are still overlays, so one ATM owner printed their own card overlay so that fraudsters would have a rough time deploying their own. The author of the article finds the concept interesting, and extrapolates that to making each system have a degree of custom variability to thwart this type of attack. However, since the thing is (currently) 3D printed, it looks sketchy in and of itself and may cause users to turn away from valid ATMs.
Trackmageddon. Another alarmingly named issue is making the rounds with the name Trackmageddon. Involving a number of GPS tracking services for vehicles, this allows unauthorized and unauthenticated users api access to obtain information like location history, phone numbers, and vehicle IMEI numbers, though the researchers also found photo and audio files. Researchers later learned this might actually have been reported in 2015, but that means more than 100 sites are still vulnerable.