Month: May 2018

Intel’s ‘Virtual Fences’ Spectre Fix Won’t Protect Against Variant 4

Threatpost Security News May 24, 2018 0

Spectre and Meltdown fixes for Intel chips announced in March, to be embedded into new CPUs, do not address the newly disclosed Variant 4, sources said.

Intel introduced hardware-based safeguards to its new chips to protect against the Spectre and Meltdown flaws that rocked the silicon industry when the vulnerabilities were made public in early 2018. However, those protections are specific to V2 and V3, and will not impact the newly-discovered Variant 4 as well as other potential speculative execution side channel-related flaws in the future, sources familiar with the situation told Threatpost.

That said, chip experts familiar with the situation said that while these “protective walls” will not impact Variant 4, Intel has added a functionality into its microcode – the Speculative Store Bypass Disable (SSBD) bit – to protect against Variant 4. This functionality will continue to be utilized on future hardware platforms.

On Monday, Intel acknowledged that its processors are vulnerable to Variant 4, which could give attackers unauthorized read access to memory. Similar to the Meltdown and Spectre vulnerabilities, Variant 4 (CVE-2018-3639) is also a side channel analysis security flaw. However, Variant 4 uses a different process to extract information and is more of a cache exploit and that can be used in browser-based attacks.

After the disclosure of Spectre and Meltdown, Intel said earlier this year it has designed a new set of CPU design features that work with the operating system to install “virtual fences” protecting the system from speculative execution attacks that could exploit a variant of the Spectre flaw.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, CEO of Intel, said in a blog post at the time. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.”

Krzanich said the new safeguards will be built into Intel’s next-generation Xeon Scalable processors, code-named Cascade Lake, as well as Intel’s eighth-gen Core processors that are expected to ship in the second half of 2018.

Patrick Moorhead, principal analyst at Moor Insights and Strategy, said that Variant 4 would be much harder to “fix” architecturally than V1, V2, or V3a.

“You either have to turn memory disambiguation on or off, which will be a BIOS setting,” he told Threatpost in an email. “It’s important to note that browsers have already included mitigations and that from a severity standpoint, has been flagged as ‘medium’ severity, compared to V1, V2, and V3, which were flagged as ‘high.'”

Variant 4 is most similar to Spectre V1 as opposed to Variant 2 or Variant 3, Moorhead said: “GPZv1 was exploiting the nature of the processor’s branch prediction. GPZv4 is taking advantage of a performance feature where the processor reorders loads/stores (memory disambiguation) to gain performance,” he said.

Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, said in a post on Monday, that unlike Intel’s updates for other variants, the updates for Variant 4 will be optional and will be set to “off” by default.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” she wrote.

What Will GDPR’s Impact Be On U.S. Consumer Privacy?

Threatpost Security News May 24, 2018 0

Will General Data Protection Regulation rules that go in effect on Friday impact the privacy of U.S. citizens? It depends who you ask, but the odds-on-favorite answer is “not by much.”

The Facebook Cambridge Analytica scandal in March led to a firehose of rebuke against social media platforms, advertisers and data brokers over how they use consumer information they collect and how they sell it. U.S. consumers are hungry for change.

Privacy experts say, despite the outrage, not much has or will immediately change when it comes to how companies that profit from trading in consumer data do business. Existing U.S. privacy laws, experts say, haven’t been effective enough to protect privacy and the current gridlock in Washington D.C. makes the prospect of new tougher proposed federal privacy laws unlikely to pass anytime soon.

The glimmer of hope for many is a spillover effect of the European Union’s GDPR law aimed at protecting the EU members. It’s true that US citizens don’t directly benefit from the rules, but in the weeks leading up the introduction of GDPR there have been some promising signs that U.S. companies’ adoption of some GDPR requirements will also have an impact on U.S. consumer privacy.

“Strangely what may end up benefiting Americans concerned about their privacy is regulation being implemented in Europe,” said Alexander Abdo, senior staff attorney at the Knight First Amendment Institute. “The GDPR is going into effect very soon and… it may have spillover for us on this side of the pond.”

Under the GDPR law, EU citizens will have a right to know what’s being done with their data, and a right to access it. GDPR requires any company doing business in the EU that interacts with and processes data of people in the EU to get explicit consent from users for every possible use to their data. Users will have a right to be “forgotten;” as in being able to request that a company delete their data, stop sharing it and force third-party firms from using it as well.

There are also data portability rules allowing users to take their data from one service and give it to another. A breach notification rule requires firms to notify customers within 72 hours of an incident. Lastly, firms will need to have “data protection officers” that can demonstrate compliance with GDPR and transparency.

Companies that don’t comply face fines of up to 4 percent of their global profits.

Some Positive Impacts

Abdo said there are no parallel privacy rules that share the same goals as GDPR here in the U.S. But, he said, the fallout of the Facebook Cambridge Analytica scandal, coupled with the introduction of GDPR in Europe, is pushing into place some new privacy safeguards for U.S. citizens. It makes sense to implement new privacy rules globally, rather than to adopt a patchwork of privacy rules for each country, experts point out.

GDPR is credited for several changes to data-collecting practices by Microsoft, Google, Facebook and other firms. Google said it plans to commit to the Interactive Advertising Bureau’s GDPR approach. Earlier this week, Microsoft said it would extend GDPR protections to all its customers, not just those in EU countries. Facebook CEO Mark Zuckerberg said his firm would apply the “spirit” of the legislation globally.

In January, Facebook said it would revamp its privacy dashboard to be more user-friendly. In the weeks proceeding the Cambridge Analytica fallout, it also announced a new privacy control called “Clear History” that lets users flush their history so that it is no longer stored with their account.

Twitter joined Facebook and others and has been sending emails to users urging them to review how they apply data to target them with ads, and how public the profile information shared is in order to comply with GDPR disclosure requirements.

At the same time big tech companies have been quickly adopting GDPR rules, they have also been devising ways to reduce its impact on their business.

In April, The Guardian pointed out that Facebook shifted the responsibility of managing 1.5 billion user accounts located outside the U.S., Canada and the EU from its international headquarters in Ireland to its U.S. offices. The move is seen as an attempt to avoid GDPR rules impacting Ireland and placing the user data out of reach of EU law.

Earlier this week, Apple rolled out data and privacy tools for European customers that allowed them to download the data that Apple has collected about them and the devices they own. But here in the U.S., Apple has only promised to broaden the availability of the tools.

Google has also come under fire recently after Oracle alleged it receives information about people’s internet searches and user locations if they have a phone running Android. The web giant is under investigation currently by the Australian government.

Google didn’t responded to a request for comment from Threatpost on their commitment to handling and securing private data.

If GDPR Can’t Save Us, What Can?

The U.S. government can play a big role in holding platforms like Facebook, LinkedIn, and Twitter accountable for how they protect data privacy – but overarching challenges remain in the political landscape.

“There has been a change in the way that government – and in particular Congress – has looked at tech companies and their role in society and the democratic system,” Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy and Technology, told Threatpost.

She said the Cambridge Analytica scandal has caused regulators to look at core issues around data transparency and protection in the U.S. The incident has also forced politicians to acknowledge just how far the U.S. is behind the rest of the world when it comes to regulations around data – namely GDPR.

“For a long time these companies weren’t regulated, and they’ve avoided a fair amount of scrutiny… but Cambridge Analytica has been the apex of what’s occurred,” said De Mooy. “I’ve seen a more intense and greater call for regulation.”

In the U.S., there is no single, comprehensive federal law that regulates the collection and use of personal data. “The regulatory environment in the U.S. is fairly weak… we’ve had laws that follow data in a different kind of context, like health, but nothing as a baseline of protection for personal data,” said De Mooy. “When there is any accountability for companies related to data privacy, it’s handled through the FTC, but that’s an agency with limited authority and resources.”

Currently, a Federal Trade Commission consent decree from 2011 requires the social network to receive explicit permission from users in regards to sharing their data with third parties.

Making the prospect of regulation more challenging, the U.S. technology industry thus far has been widely self-regulated – and the current U.S. government administration favors self-generated regulatory actions.

That political divide was highlighted during Zuckerberg’s Congressional Hearing in April. Some senators, like Sen. Susan Collins (R-ME), argued that Facebook didn’t need regulations at all, while others like Sen. Dan Sullivan (R-AK) worried that “regulations can also cement the dominant power.”

“You look at what happened with [The Dodd–Frank Wall Street Reform and Consumer Protection Act],” he said. “That was supposed to be aimed at the big banks. The regulations ended up empowering the big banks in keeping the small banks down.”

Regardless, privacy advocates like the Electronic Frontier Foundation think that data privacy regulations should be high up on the national agenda.

“As the details continue to emerge regarding Facebook’s failure to protect its users’ data from third-party misuse, a growing chorus is calling for new regulations… it’s crucial that we ensure that privacy protections for social media users reinforce, rather than undermine, equally important values like free speech and innovation,” said Corynne McSherry with EFF in a post.

Pinning Hopes on Future Crackdown

Even beyond the complex political landscape, new data regulations provoke difficult questions about the role of social media platforms and who inherently owns and can have control over data online.

There have been a multitude of bills surrounding data introduced in the past year, including the Honest Ads Act, which aims to provide more transparency for online political advertisements; and the Browser Act of 2017, which authorizes the FTC to enforce information privacy protections allowing users to opt out of the use of their user information depending on the sensitivity of the information.

After Zuckerberg’s hearing, meanwhile, senators also rolled out the CONSENT (Customer Online Notification for Stopping Edge-Provider Network Transgressions) Act, which would place restrictions on data collection by “edge providers” like Facebook and Google.

While the CONSENT Act comes closest to instilling GDPR-like policies, De Mooy said U.S. regulators need to take laws like GDPR one step further by looking at how they can “complement GDPR” – in particular by better outlining the risks and benefits of data sharing for end users.

An array of consent management tools available for online companies to check in on their compliance gap monitoring and policy management do exist – including PrivacyCheq and NGData.

But many, including John Callahan, CTO of security firm Veridium, have lost trust that Facebook and other online platforms would use these tools: “Time and time again we will continue to see private and sensitive information misused, improperly stored and stolen,” he told Threatpost.

States Fight For Their Own Privacy

Whether we’ll see regulation addressing data policies is dependent on several factors, said De Mooy – but one big factor is the Nov. 6 2018 midterm elections, when privacy initiatives are expected to appear on ballots across the country.

That could include decisions about the Honest Ads Act, as well as the CONSENT Act. California is also touting its California Consumer Privacy Act, another data regulation that could apply to Facebook and social media privacy. If approved, the act would enforce more transparency around data that is being stored by companies, as well as enable consumers to opt out of companies selling their data.

“For the time being we’ve gotten calls from both sides of the aisle in Congress, and there’s clear concern around data policies from both Republicans and Democrats,” De Mooy said. “No one wants to be heavy handed and knock these companies to the ground when it comes to regulations. But we want something that respects our ability to go online and have an expectation of privacy.”

For the time being, however, social media platform users need to be aware of the lack of data privacy.

“It is important that users understand there is no free service,” said Ilia Kolochenko, CEO of High Tech Bridge. “If you’re using a platform for free, it will monitor your data and preferences. When you’re sending something online you need to assume it will be shared. We hope eventually there will be a positive shift toward customers data protection.”

Schneider Electric Patches XXE Vulnerability In Software

Threatpost Security News May 24, 2018 0

Schneider Electric on Tuesday issued fixes for a vulnerability in its SoMachine Basic software, which could result in the disclosure and retrieval of arbitrary data.

The software in question is used to develop code for programmable logic controllers. Attackers can leverage a vulnerability within the XML parser tool within SoMachine Basic, and launch an out-of-band remote arbitrary data retrieval attack.

“SoMachine Basic suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique, resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” Schnieder Electric said in a security notice. “The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file.”

Essentially, it means that several versions of SoMachine Basic have sites that accept XML documents as input. When an XML document is received, it needs to be parsed, which means turning it from a text file into structured data.

“The tools out there that do that are called XML parsers, and it turns out that in the XML spec, there’s support for features like adding a header in the doc, enabling the person creating the document to reference external documents or files,” explained Jeff Williams, CTO of Contrast Security, speaking to Threatpost.

Williams said an attacker could create a malicious XML file and upload it to this site, but when the XML parser reads this file, it also reads the malicious header that the attacker added, and attempts to bring in the external resource – which could be reference files on the disk, or other file servers on the networks.

“So an attacker could upload a malicious XML file, [and then] it pulls in resources from the disk, and then the program leaks those details out through the website,” said Williams. “That data could be anything on the internal network – including manufacturing data or personal data. A bigger risk is [the potential for] stealing IP, source code or files related to industrial processes.”

The vulnerability (CVE-2018-7783) was rated a CVSS score of 8.6, which is considered “high,” according to Schneider Electric. However, while the vulnerability may put data at risk, SoMachine Basic is not a production ICS system, but rather in a development environment. As such, it incurs no material downtime and therefore would not have any urgency from a business perspective, according to Tom Parsons, senior director of product management at Tenable.

“The attack requires… user interaction,” he told Threatpost. “The victim would have to actively load/import a malicious file crafted by an attacker. So, it’s not an easy attack to execute, because an attacker can’t just remotely connect to the system and execute the exploit.”

Schneider Electric did not respond to questions from Threatpost including whether there has been an exploit of the vulnerability discovered.

“The cybersecurity team at Schneider Electric has collaborated with Applied Risk to ensure the exploit had been addressed after identification with an effective patch,” a spokesperson at Applied Risk, whose researcher Gjoko Krstikj discovered the vulnerability, told Threatpost.

All versions of SoMachine Basic prior to v1.6 SP1 are impacted by the flaw. The manufacturing company said a fix is available for download online, or by using the Schneider Electric Software Update tool.

Schneider Electric has faced a bevy of vulnerabilities on its systems, including a critical remote code execution vulnerability in two Schneider Electric industrial control-related products in May and a critical vulnerability in its WonderWare Historian last year.

But security experts like Parsons said that industrial vendors, for their part, are becoming more aware of cybersecurity vulnerabilities on their operational technology-related hardware and software.

“Vulnerability types like remote service vulnerabilities are still common in OT systems, while in the IT world these have been displaced by application vulnerabilities,” Parsons told Threatpost. “This reflects that OT has only recently become a target for threat actors. But OT vendors are becoming much more aware and active in addressing vulnerabilities and providing patches, as OT becomes increasingly connected.”

James Comey: FBI Faces Deep Tech-Related Questions

Threatpost Security News May 24, 2018 0

LAS VEGAS – The American law enforcement system is facing a crisis of identity in the face of technology advancement, with cloud migration and automated systems, data privacy and encryption all remaining central issues for the FBI as it considers its mandate and role in the modern digital age.

Speaking at the Opentext ENFUSE 2018 conference, former FBI Director James Comey began by noting that the bureau in general is trying to strike the right balance between what investigative measures should be left to technology platforms, and which should remain under the purview of humans.

“To me, there’s a little too much of the human involved,” he said.

Using the example of the FBI investigation into Hillary Rodham Clinton’s email practices while she was Secretary of State, he said that the task of sifting through millions of messages became a main challenge for the investigative team.

“The team for instance said there’s no way we can complete the review of the tens of thousands of messages on Anthony Weiner’s laptop before the election, because we didn’t have de-dupe software for the classified network – we only had it for the unclassified network.”

As a result, the FBI’s technical resources flew into action, racing against the clock to create a classified de-dupe tool as time wound down. Eventually, it was put into place, which whittled the number of emails down to 6,000 that had to be read individually by human eyes.

“That challenge was front and center,” he said.

The problem is that the FBI, like other government entities, is wrestling with the need to move to having a unified platform in the cloud for information access. In the FBI’s case, as with other intelligence agencies, that cloud will need to accommodate different levels of classification, and different stakeholders.

“The central challenge is that we share so much info with each other is that we overwhelm each other,” he said. “We need software tools to exploit that data, and to tag and categorize data [to make it useful]. We also need to be able to flag insider threats and control access.”

For instance, the bureau needs to be able to make use of what he called “digital dust.” That dust can be an invaluable tool, as it was in the arrest of the Golden Gate killer, believed responsible for 12 homicides and 45 rapes decades ago. He was recently caught when his 30-year-old DNA was run against a genealogy database.

“It’s fair to say we live in a golden age of surveillance in a very real sense,” he said. “We are all building digital models and replicas of ourselves, and through the richness of that dust the courts can reconstruct who I am.”

However, he also said that despite the deep fears of some Americans that their government can access absolutely everything about them through a web of far-reaching digital surveillance (as famously outlined by Edward Snowden), the reality is that inappropriate tracking is not on the docket.

“There’s a sense of frustration inside the FBI to be honest,” he said. “The public believes that we have all of these surveillance tools, when social media giants know far more about you than we do, with no regulation. This brings up questions around the frameworks we have in place for the use of government authority, which are increasingly outdated. When the single largest collector of information actually isn’t the government, how do we feel about that, as a country?”

On a related topic, he noted that strong encryption tactics — which are at he heart of an impassioned debate begun by privacy advocates — are putting law enforcement at a disadvantage, with “wide swathes of American life off-limits to judicial authority.”

Echoing the sentiments of current FBI Director Christopher Wray and others, he elaborated on the charge he made in his recent book that the encryption is the hardest challenge that the FBI faces at the moment, amounting to no less than an existential question.

“We all care about both sides of this debate; we all care deeply about the security of our lives, our children and communities, and we care about the security of our information. But [by restricting the purview of the Fourth Amendment], that becomes a different way to live,” he said.

The Fourth Amendment guarantees protection of individuals against “unreasonable searches and seizures,” but provides for the ability of law enforcement, with probable cause, to search the effects of a suspect. In this modern age, it has become a question as to whether that authority stretches to the digital realm. Comey added that real content is still king when it comes to securing convictions—actual pictures, messages and the like, not just the aforementioned digital dust that can be used for profiling.

“We’ve always agreed as a people that the government authorities, with appropriate oversight, can gain access to the information they need to determine [criminality],” he said. “We’re now moving to a place where both non-crooks and crooks can wall off communications, data and pictures – we’re drifting to that. And we shouldn’t drift. We need to be able to say either that this is that okay, and weigh the costs and benefits, or if it’s not okay, what do we do about it.”

Comey finished his talk and Q&A by noting that Americans have a unique amount of dysfunction produced by technology, but that we hold a set of core values, no matter the current divisions politically, that will guide the country’s decisions on these and other questions going forward.

“I feel a sense of awakening,” he explained. “If you think of the American people as a bell curve with wings on either side of [political] nuts, the middle is what we call the sleeping American giant, and there lies the repository of our values. I feel that giant awakening. It wakes every couple of generations and creates an inflection point. And I think that’s happening again today.”