By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. The only common platform that seems unaffected as of the current moment are iPhone/iPads (Removed per recent advisory).This bug is probably worth its name and logo considering the pervasive nature of the vulnerability. At its core, both involve kernel issues that can lead to leaking running memory outside the current process which can involve compromises of system confidentiality (think encryption keys, passwords, PII/NPI in memory, etc). Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualized environments to leak memory outside the running virtual machine. It involves a flaw in "speculative execution" common in these processors where, in the right conditions, code can trick the processor in leaking data returned from other applications.
Original release date: January 04, 2018 | Last revised: February 10, 2018
CPU hardware implementationsOverview
On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory.Description
CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.
More details of these attacks can be found here:
NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit.
After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.
Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.
For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches. NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits. A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Typical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:
More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.
The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.
Note: NCCIC strongly recommends:
Firefox confirms web-based exploitation of Meltdown/Spectre possible, patch ASAP. https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/, (Thu, Jan 4th)
We often focus on malware and hacking in terms of the tools the criminals use, but often good old-fashioned deception is simple enough. A recent case I worked on involves phishing sent to rural real estate professionals (law firms, title companies, realtors, etc). It is particularly effective on targets that use the various web-mail / free e-mail services.
I received some questions about my diary entry "PDF documents & URLs: update", and to beter explain the analysis method, I created a video.
How to best start the new year? How about a new tool: what-is-new.py.
Yesterday I came across a file type I rarely have to analyze: "Transport Neutral Encapsulation Format". It's an attachment file format used by Outlook and Exchange.
2017 is almost done and it’s my last diary for this year. I made a quick review of my CVE database (I’m using a local cve-search instance). The first interesting number is the amount of CVE’s created this year. Do you remember when the format was CVE-YYYY-XXXX? The CVE ID format changed in 2014 to break the limit of 9999 entries per year. This was indeed a requirement when you see the number of entries for the last five years:
We are almost at the end of another year. Last year I wrote a diary on Talent Shortage  and from what I have seen, it is still difficult to find the right people with the right skills . I read more than ever, enterprises have to start coming up with creative recruitment strategies to hire the next generation of security professionals (IP-based skillsets) and develop strong training programs to bring them up-to-speed with the right security skills needed to defend or audit their enterprise. Obviously, you can learn a lot of things in a classroom but some skills can only be acquired in the real world. Anyone willing to learn or is curious about how attacks methods works and how to defend against them, has strong ethics and problem solving skills sound like a candidate you might want to coach and hire.
I see a lot of malicious RTF files that are heavily obfuscated. Last, I received a sample that rtfobj or rtfdump could not handle properly to correctly identify OLE objects ("Not a well-formed OLE object"). But my rtfdump tool has an option that can help decode objects that are not well-formed. Let's take a closer look.
I've written before about PDFs with URLs used in social engineering attacks (TL;DR: nowadays, it's more likely you'll receive a malicious PDF that just contains a malicious URL, than a PDF with malicious code).
I received a bug report for my pdf-parser: it could not decompress the streams of a PDF document (FlateDecode decompress failed).
With the latest “gold rush” in cryptocurrency, many people are investing (or speculating, depending on your perspective) in Bitcoin and various other currencies. Many of these people are not the same tech-savvy people who have been mining for years, they are chasing big rates of returns. While the economic risks are its own discussion, this post will talk about some observations in how to protect the security of your cryptocurrency.
A note from HOD: We are recruiting, Etay is mostly through the roadmap. If you are interested in becoming a handler please check out our handler roadmap!