CyberWire Daily - Meltdown and Spectre arose from engineering for speed—most chips are affected. Bogus security apps kicked out of Google Play. Iran's Internet crackdown. Indications of a guilty plea in NSA leak case.
Episode Date: January 4, 2018In today's podcast we follow the story of Meltdown and Spectre, which pose kernel-level security issues: speed was inadvertently purchased at the price of insecurity. Spectre affects most chips, ...not just those from Intel. Mitigations are on the way. Bogus security apps booted from Google Play. Be on the lookout for phony Android Uber apps. Iran's Internet crackdown continues. Michael Daly from Raytheon and David DuFour from Webroot share their views on Meltdown and Spectre. And former NSA contractor Hal Martin may plea to taking one classified document home with him. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Meltdown and Spectre pose kernel-level security issues.
Speed was inadvertently purchased at the price of insecurity.
Spectre affects most chips, not just those from Intel.
Mitigations are on the way.
Bogus security apps booted from the Google Play Store?
Be on the lookout for phony Android Uber apps.
Iran's internet crackdown continues.
And former NSA contractor Hal Martin may plea to taking one classified document home with him.
taking one classified document home with him.
I'm Dave Bittner with your CyberWire summary for Thursday, January 4th, 2018.
So, these computer things that run on this internet thing seems to be a little slower than usual, friend.
Do they seem run down, sister?
Not the same snap, crackle, and pop you're used to, brother?
No? Well, maybe not yet, but you might notice it before too much longer.
We're talking, of course, about the processor chip vulnerabilities that have been discussed this week.
They've received a lot of names, FWIT and Kaiser among them.
And we won't use FWIT because we're a family show, and if any children are listening, neither should you, kids.
The names that are sticking, however, are Meltdown and Spectre. The fact that these both come with
snazzy logos ready-made, Spectre represented by a Pac-Manian cartoon ghost, Meltdown by a
Dolly-esque melting shield, suggests that they've been known to some people for some time. And
indeed, Google blogged yesterday that it's
Project Zero discovered and quietly disclosed them last summer.
The vulnerabilities are found in processor chips, and they enable side-channel attacks
in affected systems. According to Google, the vulnerabilities are rooted in the way
chips are engineered for efficiency to perform speculative execution, which enables the threading that
Lens processes the smooth speed users expect.
Meltdown, which is CVE-2017-5754, permits ordinary applications to evade the security
boundaries usually enforced at chip level to access the private contents of kernel memory.
The vulnerability appears confined largely to Intel chips.
Spectre, which is CVE-2017-5753 and CVE-2017-5715, is the more widespread and potentially dangerous
of the two. It enables an attacker to bypass isolation among different applications.
Yesterday's report said only Intel chips were affected.
Some competing manufacturers initially said their processors were unaffected.
Well, not so fast.
That optimism seems to have been misguided.
Most recent processors share the Spectre vulnerabilities, if not the meltdown issue.
Spectre has now been identified in ARM and AMD chips as well, as Intel has helpfully
pointed out. Microsoft has issued an out-of-band patch to mitigate the problems for its products.
Other vendors either have or shortly will make mitigations available. These are expected
to fix the security issues, but at the expense of performance. Many experts are advising
people that their patched devices
will run noticeably more slowly. Cloud users should experience similar slowdowns.
One point worth noting is that there are a lot of ARM chips in Internet of Things devices.
If those are susceptible to Spectre, as they seem to be, this means there will be a lot
of small, scattered, difficult to the pointthe-point-of-impossible-to-patch IoT devices out there.
Michael Daly is the Chief Technology Officer at Raytheon for Cybersecurity,
and he joins us to share his view on Spectre and Meltdown.
You know, the standard story of patch quickly is really what we need to take away from this immediate problem.
Meltdown has been out there since June of last year,
and we have to assume at this point that some criminal organizations
and nation-state adversaries are aware of the details of this and have been aware of it.
It's unlikely that that was kept quiet from them.
So they've had time to develop exploits for it.
And so now that the patches
are out, and I saw Microsoft put out the Windows patches this morning, we need to get those
installed quickly. Are we thinking that the software patches are going to be a long-term
solution, or ultimately we're going to have to see some hardware fixes as well? I don't think hardware fixes anytime soon. Surely Intel, AMD, ARM will make changes to their architecture for future chips, but for now, I think we are stuck with software fixes.
I've heard that the cloud platforms are already patched for the most part.
Apple had their patch out last December, and others have theirs out.
So I think Meltdown is okay, okay in the sense that we have a patch.
It doesn't mean that people have applied them or rebooted their systems, which is required to make the patch active.
But Spectre is going to hang around for quite a while, it seems.
And so in terms of the specific threats that people need to look out for,
what's your guidance there? Well, the threat is that folks
figure out how to get you to run some of this code
and then use it to grab your credentials and
encryption keys. They're more concerned about credentials than anything,
meaning, you know, usernames and passwords.
And with that, they can then jump and install other malware and go about the usual exploit
chain.
So this is another vector for them to grab credentials.
On the Spectre story, the troubles with that are probably going to grow a little bit over time as the various
criminal organizations and nation states work on developing new ways of exploiting it. And since
there isn't a quick hardware fix for sure, and software fixes appear to be partial at best,
we're going to have to do continuous updates to our monitoring systems to look for specter exploits as they
evolve over time. That's Michael Daly from Raytheon. In other news, Google has expelled 36 bogus
security apps from the Play Store. Some of them misrepresented themselves as products from well
known and reputable vendors like Avast. This is, of course, an imposture, and Google has
shooed these serpents from its walled garden. There's also some Android malware circulating
in the wild that pretends to be an Uber app. Iran's crackdown on the internet continues
as the regime declares victory in quashing unrest, but few observers take the Islamic
Republic's claims of triumph at face value.
Finally, in news of crime and punishment,
former NSA contractor Hal Martin is reported by the Baltimore Sun and Reuters to have indicated his willingness to cop a guilty plea
to a single count of taking a single classified document home with him.
This came in a filing yesterday at the Baltimore court that's hearing the case.
The single charge carries a maximum possible penalty of 10 years imprisonment.
The government, which says it picked up 50 terabytes of classified information at Mr.
Martin's Glen Burnie residence, seems unlikely to let things ride with that simple plea.
No one seems to know why Mr. Martin took stuff home with him. If the government knows, it's not saying.
And Mr. Martin's attorney has said that it went like this.
Mr. Martin took things home to study so he could get better at his job,
and then taking things home became an obsession.
You kind of get that.
The document Mr. Martin indicated his willingness to admit taking
was a 2014 chart of a proposed NSA reorganization.
An org chart would be kind of a page-turner.
Kind of like those Jedi manuals
that Yoda blew up in The Last Jedi.
Wait, should we have said spoiler alert?
Well, sorry, and may the Force be with you.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives
are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
at blackcloak.io.
And joining me once again is David DeFore.
He's the Senior Director of Engineering and Cybersecurity at Webroot.
David, welcome back.
Happy you can jump on the line with us today.
We want to talk about Meltdown and Spectre.
Get your take on it.
Let's just start with some basics.
Well, hey, Dave, thanks for having me back.
These are pretty significant in terms of what's going on, because both of them kind of start at the hardware level and work their way up from there. Meltdown does have a software solution. Spectre, we're going
to see some stuff over time. So take us through that. I mean, we're seeing the patches being
released for Meltdown, but we're also hearing word that this could lead to slowdowns.
Right. That's exactly right. It has to do with the memory and paging and how that's done physically on the system. And so operating system providers can do a lot of work in the kernel to lock that
down and ensure that with meltdown, they're able to secure that memory allocation and that people
aren't able to get to things they're not supposed to.
But in doing so, they're having to forego some of the performance capabilities of that chip. And so
you're going to see some hit at the kernel level in the operating system simply to prevent nefarious
actors from being able to access those memory locations. And what about with Spectre? Well,
Spectre is kind of an exciting but terrifying thing in and of itself.
As with Meltdown, you know, we can get a software solution out pretty quickly.
And yes, there'll be a CPU hit.
It's a pretty definitive fix.
With Spectre, we're seeing that on multiple hardware platforms.
And the issue there, without going into too much detail, is how applications are able
to access memory.
That one is not going to have a straightforward, simple fix.
And what we're going to see with Spectre is probably something that's going to take time to get software fixes out as we see threats appear.
Because the definitive fix would be to ship back all your hardware, have them repurpose circuit boards, and then ship your hardware back to you.
But obviously, that's too costly.
So with Spectre, it's going to take time, and we're going to have to pick these threats off one at a time as we see them.
I think it's fair to say a sizable percentage of the computing world runs on Intel chips, certainly.
They are the dominant player.
How do you see this playing out? Obviously, we're going to have to see some hardware
adjustments from Intel. Will those hardware adjustments necessarily come with a performance
hit as well? So I think a couple of things. Meltdown is specific to Intel. And as I said,
we're seeing some fixes come out already for operating systems
around that. And yes, I believe there'll be short term hits or long term even on that hardware. But
I think Intel will have workarounds in place to resolve this problem in new hardware. Couldn't
estimate when, but I think moving forward, they will have this resolved. They're really good at
that. And that's specific to Meltdown.
Now, the beautiful slash terrifying thing about Spectre is it's not just Intel.
It's affecting ARM and AMD as well.
So it's not just limited to PCs or Macs
or things like with Intel chipsets.
It's going to be across the board
on anything with an ARM, an AMD, or an Intel chip in it.
And that is going to take longer to fix.
And I don't think you can recall all these devices from these manufacturers. I mean, how many people are
manufacturing ARM chips out there? So it's just we're going to have to, as an industry, take the
time that when we see threats, it's just one more thing we add to the queue. We're going to have to
figure out how to write solutions that protect against those threats. And then from a hardware perspective, I guarantee you folks are going back to the drawing board
on how to engineer these problems out of those chipsets. So what's the advice that you would
give to different organizations? I mean, we've got enterprise, we've got small business, and we've
got home users. What should their various approaches be to protect themselves from this?
How serious on a day-to-day basis are we talking about here?
Well, I think that's a great question in terms of, first of all, anyone who ever hears me speak or on any, I could be talking about how to bake bread.
At the end of that, I always say back up your data and apply security patches.
So number one, first and foremost, when operating system security patches come out for this stuff,
apply them as quickly as you can.
Some enterprises don't have that luxury of doing it very fast because they have proprietary software,
but you do need to apply security patches to this as quickly as possible.
And that's really at the enterprise and business level.
For the consumer, you know, I think it's one of those things where you need to be diligent
and pay attention to what's going on but I don't think we know yet what the implications are to say smartphones or
home PCs or things of that we're just gonna have to wait and see because this is a pretty
sophisticated kind of issue that a lot of people now are going to try to take advantage of and
we're going to have to watch how that plays out and be ready to create patches or write solutions that protect against it as we start seeing it in
the wild. All right, David DeFore, thanks for taking the time for us today. Great talking to
you, Dave. Thank you. All right. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data
workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.