Silicon Shecky

Infosec Practitioner

Connect

We are headed for a Spectre of a Meltdown

By Leave a Comment

Time to talk a bit about Spectre and Meltdown. I know, I touched on these two last week, but there is more to discuss. There are things afoot with these two that have given me some thoughts. No, I do not think the sky is falling.

I am going to start with a little tweet that I saw:

Worrisome? Yes. Sky is falling? No. Outside of a POC with JavaScript, I have heard nothing that does not show these bugs are LOCAL which is even mentioned in the CVEs. Add on they are Data Leak and not RCE (Remote Code Execution for those unfamiliar with the term). This demo shows though that there is code to take advantage of Meltdown/Spectre. Seeing something like this makes me believe that there is code used in the wild that we do not know about yet. So, what we need to do is update ourselves. Keeping an eye on processes through things like CarbonBlack Response or similar types of tools might be able to give us some insight into this sort of exploit happening. Once Alex releases his code, it will be easier to create alerts and watchlists for such activity.

Next up on my parade with Spectre/Meltdown is IoT. We all know that IoT can be difficult at best to update. So much hard coded passwords, or no security really at all in the devices. You might think, so what if my fridge is leaking data? OSINT, passwords for Google or Amazon, what apps do the devices use? There are so man possibilities. Smart TVs, think about that. There people have passwords for Hulu, Amazon, Netflix, etc… let alone viewing history and other data. How fast are patches going to be put out for those items, and will those patches be worse than the potential exploit? Which brings me to the final thought for this post…

Ever heard of the cure being worse than the disease? This statement was a fact with the Microsoft patches. AV could cause blue screening and bricking of systems as well as just having an AMD chip. It has been said that companies like Microsoft had known about Spectre/Meltdown for a couple of months prior to the disclosure. You would think they would have been building and testing patches for it for a while if they did. Instead, it looks like the patches were rushed out. So Microsoft has stopped sending out patches in certain instances. I keep hearing conflicting reports that the key that AV vendors are supposed to put in is required not just for the Spectre/Meltdown patch but without it, all patches will stop (if you have automatic patching set up). That could affect home users big time. Mind you I heard about that from Smashing Security’s podcast on 1/11/18.

Still I maintain that more is being made out of this in the mainstream media in the wrong way. Especially as far as IoT goes, this could be a great tool to start forcing those device makers to do a better job with security overall. Once again though, I think being vigilant is the best solution at this time. Keep our heads up, and watch for the signs, test the fixes, and go about our daily business. Interestingly enough a major security issue with Dell EMC happened and was not mentioned while we have been freaking out about Spectre/Meltdown. Time for us to stop melting down about this one I think.

 

Get Over It…

By Leave a Comment

I turn on the tube and what do I see

A whole lotta people cryin’ “Don’t blame me”
They point their crooked little fingers at everybody else
Spend all their time feelin’ sorry for themselves
Victim of this, victim of that
Your momma’s too thin; your daddy’s too fat
Get over it” – Get Over It by The Eagles
     Some of the most true lyrics for these times. Everyone wants things fixed, no one is willing to own up to their mistakes. Security is an illusion.
     There is a group, that professes to be all about our security. We hate them. They have put up barriers, slowed us down, made us uncomfortable. They have shown that they can’t do their job, stuff gets through, we are not much more secure with them around. The watch us, scan us, stop us from having things with us that we feel we need. Still, we are no more secure. They limit access, have special lanes, and can be invasive all in the name of better security. Yet we are still vulnerable. It is a show, security is an illusion.
   Yes, I’m talking about the TSA in the previous paragraph, but think about it. I could very easily be talking about our industry, information security. We all know there is no way to make us 100% secure. so we posture, put out new products and still get pwned. We make the end users life more difficult. This world keeps accelerating, first to market is the thing. The end user doesn’t really care about security though. They want it, yes, but they don’t want to think about it. Instead though, products that might be superior security wise tend to not be popular. Why? Simple, first to market is first to market. Unless that first to market item has some super major usability issue to it (see Android 1) or is priced too high (the original Windows PDA phones), first to market is hard to dethrone.
   What do we, our community of infosec professionals and hobbyists do about this? We berate, we laugh, we joke and we act superior. Now we are even doing that among ourselves. We are the jerks, and that jerkishness doesn’t help, it hinders. We are not educating the end users. Yes it is their fault, but it isn’t. they shouldn’t have to worry about the security of computers, networks, IoT, and other devices. They have to though because of first to market. We have to educate them to care, and we have to figure out a way of taking our snark out of the process. to empower them to make the choice for the better, more secure product. Then we might start seeing companies trying to bake better security into devices from the start.
   I mentioned us being jerks to each other. that needs to calm down also. doing that is a good way to scare people away from becoming part of the solution. Who wants to work and deal with jerks? Yeah, we can snark, but we need to know when and where to use it. We need to be more welcoming for new people and more understanding of each other. As our industry becomes more and more compartmentalized, we need to work more and more on our soft skills. We need each other, because not a single one of us can know it all.
   Security is an illusion, yes, but we can make things more secure than they were. We just need to get our heads on straight and stop being the problem.