Silicon Shecky

Infosec Practitioner

Connect

We are headed for a Spectre of a Meltdown

By Leave a Comment

Time to talk a bit about Spectre and Meltdown. I know, I touched on these two last week, but there is more to discuss. There are things afoot with these two that have given me some thoughts. No, I do not think the sky is falling.

I am going to start with a little tweet that I saw:

Worrisome? Yes. Sky is falling? No. Outside of a POC with JavaScript, I have heard nothing that does not show these bugs are LOCAL which is even mentioned in the CVEs. Add on they are Data Leak and not RCE (Remote Code Execution for those unfamiliar with the term). This demo shows though that there is code to take advantage of Meltdown/Spectre. Seeing something like this makes me believe that there is code used in the wild that we do not know about yet. So, what we need to do is update ourselves. Keeping an eye on processes through things like CarbonBlack Response or similar types of tools might be able to give us some insight into this sort of exploit happening. Once Alex releases his code, it will be easier to create alerts and watchlists for such activity.

Next up on my parade with Spectre/Meltdown is IoT. We all know that IoT can be difficult at best to update. So much hard coded passwords, or no security really at all in the devices. You might think, so what if my fridge is leaking data? OSINT, passwords for Google or Amazon, what apps do the devices use? There are so man possibilities. Smart TVs, think about that. There people have passwords for Hulu, Amazon, Netflix, etc… let alone viewing history and other data. How fast are patches going to be put out for those items, and will those patches be worse than the potential exploit? Which brings me to the final thought for this post…

Ever heard of the cure being worse than the disease? This statement was a fact with the Microsoft patches. AV could cause blue screening and bricking of systems as well as just having an AMD chip. It has been said that companies like Microsoft had known about Spectre/Meltdown for a couple of months prior to the disclosure. You would think they would have been building and testing patches for it for a while if they did. Instead, it looks like the patches were rushed out. So Microsoft has stopped sending out patches in certain instances. I keep hearing conflicting reports that the key that AV vendors are supposed to put in is required not just for the Spectre/Meltdown patch but without it, all patches will stop (if you have automatic patching set up). That could affect home users big time. Mind you I heard about that from Smashing Security’s podcast on 1/11/18.

Still I maintain that more is being made out of this in the mainstream media in the wrong way. Especially as far as IoT goes, this could be a great tool to start forcing those device makers to do a better job with security overall. Once again though, I think being vigilant is the best solution at this time. Keep our heads up, and watch for the signs, test the fixes, and go about our daily business. Interestingly enough a major security issue with Dell EMC happened and was not mentioned while we have been freaking out about Spectre/Meltdown. Time for us to stop melting down about this one I think.

 

Frost Piss.. er First Post of 2018

By Leave a Comment

From the frozen sections of the Northern U.S. welcome to 2018! I hope everyone had a good holiday and is refreshed. If not, step outside in the cold, you’ll at least be somewhat refreshed.

Spectre/Meltdown. There I have mentioned it. With so many fantastic write-ups and posts out there, you don’t need another one so lets move on.

One of the things I have been noticing is a lack of forethought. We (and our bosses especially) are so caught up in the reactionary phase of things, that we tend to not think things through. A new vuln comes out, chicken little starts screaming, and we all get over stressed. This happens whether there is a POC, it is found in the wild, or neither. In a products community forum recently, it was asked about the current hullabaloo, why worry about the endpoints since there is nothing in the wild. I responded with the same statement I am making here. Why be reactive when you can be proactive.

Now I know, we have pent test, vuln scans, SEIM and blah blah blah that makes us proactive. Does it really though? How often are we reacting to something from one of our tools? Yes, you can claim putting the tool in place is being proactive. How long though between finding something with the tools, and mitigation? Days? Weeks? Months? How often could being a little faster on the response to some proactive tool stop a piece of malware coming in?

While this is a big deal, there is another one. That is in the planning stages for, well, anything. Take acquisitions for example. Are you doing an audit on their security posture? What about their AD? How messed up is that? When will it get cleaned up? How are they granting access and putting people in security groups? How will this translate to your company’s policies? What happens when you try to merge them into your AD/File Share structure? Is their share structure just going to be changed to your domain, or are you copying the data over only? These are important questions and affect your company’s security posture.

It is a new year, and really time to start thinking anew. After all, you can’t fill up an already full tea cup, and you can’t learn unless you empty your preconceived notions.