Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

-Rule #3: Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

-Rule #4: Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.”

If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

-Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

-Rule #6: Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

In the wake of last month’s guilty pleas by several individuals who created Mirai — one of the biggest IoT malware threats ever — the U.S. Justice Department released a series of tips on securing IoT devices.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.

From https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/

Advertisements

Serial SWATter Tyler “SWAuTistic” Barriss Charged with Involuntary Manslaughter

Tyler Raj Barriss, a 25-year-old serial “swatter” whose phony emergency call to Kansas police last month triggered a fatal shooting, has been charged with involuntary manslaughter and faces up to eleven years in prison.

Tyler Raj Barriss, in an undated selfie.

Barriss’s online alias — “SWAuTistic” — is a nod to a dangerous hoax known as “swatting,” in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with potentially deadly force.

Barriss was arrested in Los Angeles this month for alerting authorities in Kansas to a fake hostage situation at an address in Wichita, Kansas on Dec. 28, 2017.

Police responding to the alert surrounded the home at the address Barriss provided and shot 28-year old Andrew Finch as he emerged from the doorway of his mother’s home. Finch, a father of two, was unarmed, and died shortly after being shot by police.

The officer who fired the shot that killed Finch has been identified as a seven-year veteran with the Wichita department. He has been placed on administrative leave pending an internal investigation.

Following his arrest, Barriss was extradited to a Wichita jail, where he had his first court appearance via video on FridayThe Los Angeles Times reports that Barriss was charged with involuntary manslaughter and could face up to 11 years and three months in prison if convicted.

The moment that police in Kansas fired a single shot that killed Andrew Finch (in doorway of his mother’s home).

Barriss also was charged with making a false alarm — a felony offense in Kansas. His bond was set at $500,000.

Sedgwick County District Attorney Marc Bennett told the The LA Times Barriss made the fake emergency call at the urging of several other individuals, and that authorities have identified other “potential suspects” that may also face criminal charges.

Barriss sought an interview with KrebsOnSecurity on Dec. 29, just hours after his hoax turned tragic. In that interview, Barriss said he routinely called in bomb threats and fake hostage situations across the country in exchange for money, and that he began doing it after his own home was swatted.

Barriss told KrebsOnSecurity that he felt bad about the incident, but that it wasn’t he who pulled the trigger. He also enthused about the rush that he got from evading police.

“Bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that,” he wrote in an instant message conversation with this author.

In a jailhouse interview Friday with local Wichita news station KWCH, Barriss said he feels “a little remorse for what happened.”

“I never intended for anyone to get shot and killed,” he reportedly told the news station. “I don’t think during any attempted swatting anyone’s intentions are for someone to get shot and killed.”

The Wichita Eagle reports that Barriss also has been charged in Calgary, Canada with public mischief, fraud and mischief for allegedly making a similar swatting call to authorities there. However, no one was hurt or killed in that incident.

Barriss was convicted in 2016 for calling in a bomb threat to an ABC affiliate in Los Angeles. He was sentenced to two years in prison for that stunt, but was released in January 2017.

Using his SWAuTistic alias, Barriss claimed credit for more than a hundred fake calls to authorities across the nation. In an exclusive story published here on Jan. 2, KrebsOnSecurity dissected several months’ worth of tweets from SWAuTistic’s account before those messages were deleted. In those tweets, SWAuTistic claimed responsibility for calling in bogus hostage situations and bomb threats at roughly 100 schools and at least 10 residences.

In his public tweets, SWAuTistic claimed credit for bomb threats against a convention center in Dallas and a high school in Florida, as well as an incident that disrupted a much-watched meeting at the U.S. Federal Communications Commission (FCC) in November.

But in private online messages shared by his online friends and acquaintances SWAuTistic can be seen bragging about his escapades, claiming to have called in fake emergencies at approximately 100 schools and 10 homes.

The serial swatter known as “SWAuTistic” claimed in private conversations to have carried out swattings or bomb threats against 100 schools and 10 homes.

From https://krebsonsecurity.com/2018/01/serial-swatter-tyler-swautistic-barriss-charged-with-involuntary-manslaughter/

Canadian Police Charge Operator of Hacked Password Service Leakedsource.com

Canadian authorities have arrested and charged a 27-year-old Ontario man for allegedly selling billions of stolen passwords online through the now-defunct service Leakedsource.com.

The now-defunct Leakedsource service.

On Dec. 22, 2017, the Royal Canadian Mounted Police (RCMP) charged Jordan Evan Bloom of Thornhill, Ontario for trafficking in identity information, unauthorized use of a computer, mischief to data, and possession of property obtained by crime. Bloom is expected to make his first court appearance today.

According to a statement from the RCMP, “Project Adoration” began in 2016 when the RCMP learned that LeakedSource.com was being hosted by servers located in Quebec.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Rafael Alvarado, the officer in charge of the RCMP Cybercrime Investigative Team. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

In January 2017, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection of usernames and passwords leaked or stolen in some of the worst data breaches — including three billion credentials for accounts at top sites like LinkedIn and Myspace.

Jordan Evan Bloom. Photo: RCMP.

LeakedSource in October 2015 began selling access to passwords stolen in high-profile breaches. Enter any email address on the site’s search page and it would tell you if it had a password corresponding to that address. However, users had to select a payment plan before viewing any passwords.

The RCMP alleges that Jordan Evan Bloom was responsible for administering the LeakedSource.com website, and earned approximately $247,000 from trafficking identity information.

A February 2017 story here at KrebsOnSecurity examined clues that LeakedSource was administered by an individual in the United States.  Multiple sources suggested that one of the administrators of LeakedSource also was the admin of abusewith[dot]us, a site unabashedly dedicated to helping people hack email and online gaming accounts.

That story traced those clues back to a Michigan man who ultimately admitted to running Abusewith[dot]us, but who denied being the owner of LeakedSource.

The RCMP said it had help in the investigation from The Dutch National Police and the FBI. The FBI could not be immediately reached for comment.

LeakedSource was a curiosity to many, and for some journalists a potential source of news about new breaches. But unlike services such as BreachAlarm and HaveIBeenPwned.com — which force users to verify that they can access a given account or inbox before the site displays whether it has found a password associated with the account in question — LeakedSource did nothing to validate users.

This fact, critics charged, showed that the proprietors of LeakedSource were purely interested in making money and helping others pillage accounts.

Since the demise of LeakedSource.com, multiple, competing new services have moved in to fill the void. These services — which are primarily useful because they expose when people re-use passwords across multiple accounts — are popular among those involved in a variety of cybercriminal activities, particular account takeovers and email hacking.

From https://krebsonsecurity.com/2018/01/canadian-police-charge-operator-of-hacked-password-service-leakedsource-com/

Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience

KrebsOnSecurity heard from a reader whose friend recently received a remarkably customized extortion letter via snail mail that threatened to tell the recipient’s wife about his supposed extramarital affairs unless he paid $3,600 in bitcoin. The friend said he had nothing to hide and suspects this is part of a random but well-crafted campaign to prey on men who may have a guilty conscience.

The letter addressed the recipient by his first name and hometown throughout, and claimed to have evidence of the supposed dalliances.

“You don’t know me personally and nobody hired me to look into you,” the letter begins. “Nor did I go out looking to burn you. It is just your bad luck that I stumbled across your misadventures while working on a job around Bellevue.”

The missive continues:

“I then put in more time than I probably should have looking into your life. Frankly, I am ready to forget all about you and let you get on with your life. And I am going to give you two options that will accomplish that very thing. These two options are to either ignore this letter, or simply pay me $3,600. Let’s examine those two options in more detail.”

The letter goes on to say that option 1 (ignoring the threat) means the author will send copies of his alleged evidence to the man’s wife and to her friends and family if he does not receive payment within 12 days of the letter’s post marked date.

“So [name omitted], even if you decide to come clean with your wife, it won’t protect her from the humiliation she will feel when her friends and family find out your sordid details from me,” the extortionist wrote.

Option 2, of course, involves sending $3,600 in Bitcoin to an address specified in the letter. That bitcoin address does not appear to have received any payments. Attached to the two-sided extortion note is a primer on different ways to quickly and easily obtain bitcoin.

“If I don’t receive the bitcoin by that date, I will go ahead and release the evidence to everyone,” the letter concludes. “If you go that route, then the least you could do is tell your wife so she can come up with an excuse to prepare her friends and family before they find out. The clock is ticking, [name omitted].”

Of course, sending extortion letters via postal mail is mail fraud, a crime which carries severe penalties (fines of up to $1 million and up to 30 years in jail). However, as the extortionist rightly notes in his letter, the likelihood that authorities would ever be able to catch him is probably low.

The last time I heard of or saw this type of targeted extortion by mail was in the wake of the 2015 breach at online cheating site AshleyMadison.com. But those attempts made more sense to me since obviously many AshleyMadison users quite clearly did have an affair to hide.

In any case, I’d wager that this scheme — assuming that the extortionist is lying and has indeed sent these letters to targets without actual knowledge of extramarital affairs on the part of the recipients — has a decent chance of being received by someone who really does have a current or former fling that he is hiding from his spouse. Whether that person follows through and pays the extortion, though, is another matter.

I searched online for snippets of text from the extortion letter and found just one other mention of what appears to be the same letter: It was targeting people in Wellesley, Mass, according to a local news report from December 2017.

According to that report, the local police had a couple of residents drop off letters or call to report receiving them, “but to our knowledge no residents have fallen prey to the scam. The envelopes have no return address and are postmarked out of state, but from different states. The people who have notified us suspected it was a scam and just wanted to let us know.”

In the Massachusetts incidents, the extortionist was asking for $8,500 in bitcoin. Assuming it is the same person responsible for sending this letter, perhaps the extortionist wasn’t getting many people to bite and thus lowered his “fee.”

I opted not to publish a scan of the letter here because it was double-sided and redacting names, etc. gets dicey thanks to photo and image manipulation tools. Here’s a transcription of it instead (PDF).

From https://krebsonsecurity.com/2018/01/bitcoin-blackmail-by-snail-mail-preys-on-those-with-guilty-conscience/

Microsoft’s Jan. 2018 Patch Tuesday Lowdown

Microsoft on Tuesday released 14 security updates, including fixes for the Spectre and Meltdown flaws detailed last week, as well as a zero-day vulnerability in Microsoft Office that is being exploited in the wild. Separately, Adobe pushed a security update to its Flash Player software.

Last week’s story, Scary Chip Flaws Raise Spectre of Meltdown, sought to explain the gravity of these two security flaws present in most modern computers, smartphones, tablets and mobile devices. The bugs are thought to be mainly exploitable in chips made by Intel and ARM, but researchers said it was possible they also could be leveraged to steal data from computers with chips made by AMD.

By the time that story had published, Microsoft had already begun shipping an emergency update to address the flaws, but many readers complained that their PCs experienced the dreaded “blue screen of death” (BSOD) after applying the update. Microsoft warned that the BSOD problems were attributable to many antivirus programs not yet updating their software to play nice with the security updates.

On Tuesday, Microsoft said it was suspending the patches for computers running AMD chipsets.

“After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” the company said in a notice posted to its support site.

“To prevent AMD customers from getting into an unbootable state, Microsoft has temporarily paused sending the following Windows operating system updates to devices that have impacted AMD processors,” the company continued. “Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible.”

In short, if you’re running Windows on a computer powered by an AMD, you’re not going to be offered the Spectre/Meltdown fixes for now. Not sure whether your computer has an Intel or AMD chip? Most modern computers display this information (albeit very briefly) when the computer first starts up, before the Windows logo appears on the screen.

Here’s another way. From within Windows, users can find this information by pressing the Windows key on the keyboard and the “Pause” key at the same time, which should open the System Properties feature. The chip maker will be displayed next to the “Processor:” listing on that page.

Microsoft also on Tuesday provided more information about the potential performance impact on Windows computers after installing the Spectre/Meltdown updates. To summarize, Microsoft said Windows 7, 8.1 and 10 users on older chips (circa 2015 or older), as well as Windows server users on any silicon, are likely to notice a slowdown of their computer after applying this update.

Any readers who experience a BSOD after applying January’s batch of updates may be able to get help from Microsoft’s site: Here are the corresponding help pages for Windows 7, Windows 8.1 and Windows 10 users.

As evidenced by this debacle, it’s a good idea to get in the habit of backing up your system on a regular basis. I typically do this at least once a month — but especially right before installing any updates from Microsoft. 

Attackers could exploit a zero-day vulnerability in Office (CVE-2018-0802) just by getting a user to open a booby-trapped Office document or visit a malicious/hacked Web site. Microsoft also patched a flaw (CVE-2018-0819) in Office for Mac that was publicly disclosed prior to the patch being released, potentially giving attackers a heads up on how to exploit the bug.

Of the 56 vulnerabilities addressed in the January Patch Tuesday batch, at least 16 earned Microsoft’s critical rating, meaning attackers could exploit them to gain full access to Windows systems with little help from users. For more on Tuesday’s updates from Microsoft, check out blogs from Ivanti and Qualys.

As per usual, Adobe issued an update for Flash Player yesterday. The update brings Flash to version 28.0.0.137 on Windows, Mac, and Linux systems. Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

From https://krebsonsecurity.com/2018/01/microsofts-jan-2018-patch-tuesday-lowdown/

Website Glitch Let Me Overstock My Coinbase

Overstock.com (NASDAQ:OSTK) just fixed a serious glitch in the Coinbase bitcoin payment section of its site that allowed customers to buy any item at a tiny fraction of the listed price. Potentially more punishing, the flaw let anyone paying with bitcoin reap many times the authorized bitcoin refund amount on any canceled orders.

In January 2014, Overstock.com partnered with Coinbase to allow customers to pay for merchandise using bitcoin, making it among the first of the largest e-commerce vendors to accept the virtual currency.

On December 19, 2017, as the price of bitcoin soared to more than $17,000 per coin, Coinbase added support for Bitcoin Cash — an offshoot (or “fork”) from bitcoin designed to address the cryptocurrency’s scalability challenges.

As a result of the change, Coinbase customers with balances of bitcoin at the time of the fork were given an equal amount of bitcoin cash stored by Coinbase. However, there is a significant price difference between the two currencies: A single bitcoin is worth almost $15,000 right now, whereas a unit of bitcoin cash is valued at around $2,400.

On Friday, Jan. 5, KrebsOnSecurity was contacted by JB Snyder, owner of North Carolina-based Bancsec, a company that gets paid to break into banks and test their security. An early adopter of bitcoin, Snyder said he was using some of his virtual currency to purchase an item at Overstock when he noticed something alarming.

During the checkout process for those paying by bitcoin, Overstock.com provides the customer a bitcoin wallet address that can be used to pay the invoice and complete the transaction. But Snyder discovered that Overstock’s site just as happily accepted bitcoin cash as payment, even though bitcoin cash is currently worth only about 15 percent of the value of bitcoin.

To confirm and replicate Snyder’s experience firsthand, KrebsOnSecurity purchased a set of three outdoor solar lamps from Overstock for a grand total of $78.27.

The solar lights I purchased from Overstock.com to test Snyder’s finding. They cost $78.27 in bitcoin, but because I was able to pay for them in bitcoin cash I only paid $12.02.

After indicating I wished to pay for the lamps in bitcoin, the site produced a payment invoice instructing me to send exactly 0.00475574 bitcoins to a specific address.

The payment invoice I received from Overstock.com.

Logging into Coinbase, I took the bitcoin address and pasted that into the “pay to:” field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin. The site responded that the payment was complete. Within a few seconds I received an email from Overstock congratulating me on my purchase and stating that the items would be shipped shortly.

I had just made a $78 purchase by sending approximately USD $12 worth of bitcoin cash. Crypto-currency alchemy at last!

But that wasn’t the worst part. I didn’t really want the solar lights, but also I had no interest in ripping off Overstock. So I cancelled the order. To my surprise, the system refunded my purchase in bitcoin, not bitcoin cash!

Consider the implications here: A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time. Let’s say I purchased one of the more expensive items for sale on Overstock, such as this $100,000, 3-carat platinum diamond ring. I then pay for it in Bitcoin cash, using an amount equivalent to approximately 1 bitcoin ($~15,000).

Then I simply cancel my order, and Overstock/Coinbase sends me almost $100,000 in bitcoin, netting me a tidy $85,000 profit. Rinse, wash, repeat.

Neither Coinbase nor Overstock would say which company was responsible for the glitch — whether it was a flaw in Coinbase’s application programming interface (API) or an implementation problem on Overstock.com. Coinbase told me the bug only existed for approximately three weeks.

“After being made aware of an issue in our joint refund processing code on SaturdayCoinbase and Overstock worked together to deploy a fix within hours,” Coinbase wrote in a statement shared with KrebsOnSecurity. “While a patch was being developed and tested, orders were proactively disabled to protect customers. To our knowledge, a very small number of transactions were impacted by this issue. Coinbase actively works with merchant partners to identify and solve issues like this in an ongoing, collaborative manner and since being made aware of this have ensured that no other partners are affected.”

For its part, Overstock said in a statement:

“We were made aware of an issue affecting cryptocurrency transactions and refunds by an independent researcher. After working with the researcher to confirm the finding, that method of payment was disabled while we worked with our cryptocurrency integration partner, Coinbase, to ensure they resolved the issue. We have since confirmed that the issue described in the finding has been resolved, and the cryptocurrency payment option has been re-enabled.”

Bancsec’s Snyder and I both checked for the presence of this glitch at multiple other merchants that work directly with Coinbase in their checkout process, but we found no other examples of this flaw.

The snafu comes as many businesses that have long accepted bitcoin are now distancing themselves from the currency thanks to the recent volatility in bitcoin prices and associated fees.

Earlier this week, it emerged that Microsoft had ceased accepting payments in Bitcoin, citing volatility concerns. In December, online game giant Steam said it was dropping support for bitcoin payments for the same reason.

And, as KrebsOnSecurity noted last month, even cybercriminals who run online stores that sell stolen identities and credit cards are urging their customers to transact in something other than bitcoin.

Interestingly, bitcoin is thought to have been behind a huge jump in Overstock’s stock price in 2017. In December, Overstock CEO Patrick Byrne reportedly stoked the cryptocurrency fires when he said that he might want to sell Overstock’s e-tailing operations and pour the extra cash into accelerating his blockchain-based business ideas instead.

In case anyone is wondering what I did with the “profit” I made from this scheme, I offered to send it back to Overstock, but they told me to keep it. Instead, I donated it to archive.org, a site that has come in handy for many stories published here.

From https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/

Scary Chip Flaws Raise Spectre of Meltdown

Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. Here’s a brief rundown on the threat and what you can do to protect your devices.

At issue are two different vulnerabilities, dubbed “Meltdown” and “Spectre,” that were independently discovered and reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. The details behind these bugs are extraordinarily technical, but a Web site established to help explain the vulnerabilities sums them up well enough:

“These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”

The Meltdown bug affects every Intel processor shipped since 1995 (with the exception of Intel Itanium and Intel Atom before 2013), although researchers said the flaw could impact other chip makers. Spectre is a far more wide-ranging and troublesome flaw, impacting desktops, laptops, cloud servers and smartphones form a variety of vendors. However, according to Google researchers, Spectre also is considerably more difficult to exploit.

In short, if it has a computer chip in it, it’s likely affected by one or both of the flaws. For now, there don’t appear to be any signs that attackers are exploiting either to steal data from users. But researchers warn that the weaknesses could be exploited via Javascript — meaning it might not be long before we see attacks that leverage the vulnerabilities being stitched into hacked or malicious Web sites.

Microsoft this week released emergency updates for to address Meltdown and Spectre in its various Windows operating systems. But the software giant reports that the updates aren’t playing nice with many antivirus products; the fix apparently is causing the dreaded “blue screen of death” (BSOD) for some antivirus users. In response, Microsoft has asked antivirus vendors who have updated their products to avoid the BSOD crash issue to install a special key in the Windows registry. That way, Windows Update can tell whether it’s safe to download and install the patch.

But not all antivirus products have been able to do this yet, which means many Windows users likely will not be able to download this patch immediately. If you run Windows Update and it does not list a patch made available on Jan 3, 2018, it’s likely your antivirus software is not yet compatible with this patch.

Google has issued updates to address the vulnerabilities on devices powered by its Android operating system. Meanwhile, Apple has said that all iOS and Mac systems are vulnerable to Meltdown and Spectre, and that it has already released “mitigations” in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. The Apple Watch is not impacted. Patches to address this flaw in Linux systems were released last month.

Many readers appear concerned about the potential performance impact that applying these fixes may have on their devices, but my sense is that most of these concerns are probably overblown for regular end users. Forgoing security fixes over possible performance concerns doesn’t seem like a great idea considering the seriousness of these bugs. What’s more, the good folks at benchmarking site Tom’s Hardware say their preliminary tests indicate that there is “little to no performance regression in most desktop workloads” as a result of applying available fixes.

Meltdownattack.com has a full list of vendor advisories. The academic paper on Meltdown is here (PDF); the paper for Spectre can be found at this link (PDF). Additionally, Google has published a highly technical analysis of both attacks. Cyberus Technology has their own blog post about the threats.

From https://krebsonsecurity.com/2018/01/scary-chip-flaws-raise-spectre-of-meltdown/