Month: February 2018

In the past few weeks, the entire information security industry has grown very anxious about Meltdown and Spectre, two classes of exploits that can be used to manipulate vulnerabilities in the way many varieties of modern processors (but especially Intel ones) handle a performance-improving technique called speculative execution and extract hidden system data. While numerous platforms have rushed to roll out patches, and Meltdown appears to be less of an issue than Spectre, it’s still unclear just how badly this situation could go.

Unfortunately, per the Register, researchers are already coming up with ways to exploit the vulnerabilities that go beyond the proof-of-concept stage. A new paper from Princeton University and Nvidia researchers titled “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols” has worked out yet more complex methods to use the vulnerabilities to extract some of the most sensitive user information on a system. In short, they trick multi-core systems into leaking data stored across more than one processor memory cache, per the Register:

The MeltdownPrime and SpectrePrime variants are based on cache invalidation protocols and utilize timing attack techniques known as Prime+Probe and Flush+Reload, which provide insight into how the victim is using cache memory.

“In the context of Spectre and Meltdown, leveraging coherence invalidations enables a Prime+Probe attack to achieve the same level of precision as a Flush+Reload attack and leak the same type of information,” the paper explained. “By exploiting cache invalidations, MeltdownPrime and SpectrePrime – two variants of Meltdown and Spectre, respectively – can leak victim memory at the same granularity as Meltdown and Spectre while using a Prime+Probe timing side-channel.”

The new attacks differ from the proof-of-concept methods revealed in the original research on Meltdown and Spectre, the researchers wrote, because while those methods simply pollute the cache during speculation, the newer attacks are “caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol.” Compromised information might include things like passwords, which attackers could potentially use to seize control of the targeted system.

There’s good news, namely that MeltdownPrime and SpectrePrime are likely resolved by the same patches that developers are releasing to resolve the original bugs. But the researchers also noted that hardware designers will need to design around the newly discovered attack methods.

Though Intel’s stock has recovered following the fiasco, numerous commentators called out the company as well as Apple and AMD for a lack of transparency regarding how vulnerable their processors remain and the rumored performance hits that may have resulted from patches. Though the impact on most uses of consumer-grade hardware appeared to be minimal, enterprise systems like servers may have taken a massive performance hit. Additionally, Linux systems may experience significant overhead as a result of patches that require extensive reworks of the way affected processors handle data. Intel has expanded its bug bounty program to offer hundreds of thousands to researchers who discover further flaws related to the exploits, per Engadget.

[The Register]

Over 130 people working in the executive branch didn’t have full security clearances as of last November, NBC reported Wednesday evening, including senior advisers like Ivanka Trump, Jared Kushner, White House press secretary Sarah Huckabee Sanders, and White House counsel Don McGahn. A whopping 34 of those people began working for the government on Jan. 20, 2017—the day Trump was sworn in—and were still operating under an interim clearance some 10 months later in November.

And forty-seven of those 130 work in positions that report directly to the president; it’s “unclear” whether any of those employees have received permanent clearance in the months since, NBC said.

Some of the esteemed offices employing those with interim clearances include the National Economic Council, the Office of Management and Budget, the U.S. Trade Representative, the White House executive residence, and the National Security Council.

From NBC:

?White House counsel Don McGahn, White House press secretary Sarah Huckabee Sanders and White House deputy press secretary Raj Shah, [had] only interim clearances to access the most sensitive government information, according to the documents. Each of them had obtained permanent clearances to access top-secret materials, a lower clearance that would prevent access to information, for example, in the president’s daily intelligence brief.

Legal experts said the lack of a permanent security clearance does not mean there is something problematic in an individual’s background. Dan Coats, the Director of National Intelligence, said during congressional testimony earlier this week that he would recommend minimal access to classified documents to anyone without a permanent security clearance.

“But if you do that, it has to be a specific interim with controlled access and limited access, and that has to be clear right from the beginning,” Coats said. “You can’t just say an interim allows me to do anything.”

Some of those received interim “top secret” and “sensitive compartmended information (SCI)” clearances, NBC also reported. As CNN noted earlier Wednesday, the intelligence permissions granted to those with interim versus permanent clearance “requires those with full permanent clearances to remain vigilant about what information is shared with those still operating on an interim basis.” Let’s take a guess at how vigilant the executive has been about toeing those boundaries, shall we?

Thousands of FedEx customers were exposed after the company left scanned passports, drivers licenses, and other documentation on a publicly accessible Amazon S3 server.

The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes.

The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday.

According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” said FedEx in a statement to Gizmodo. “The data was part of a service that was discontinued after our acquisition of Bongo.”

FedEx added there’s “no indication” of the data being “misappropriated.” Its investigation into the matter is ongoing.

According to Kromtech, more than 119,000 scanned documents were discovered on the server. As the documents were dated within the 2009-2012 range, its unclear if FedEx was aware of the server’s existence when it purchased Bongo in 2014, the company said.

Bob Diachenko, Kromtech’s head of communications, said that essentially anyone who might’ve used Bongo’s services between 2009 and 2012 may have had their identity compromised. It’s possible the data has been exposed online for several years, he said.

“This case highlights just how important it is to audit digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during, and after the sale,” Kromtech said in a statement. “During the integration or migration phase is usually the best time to identify any security and data privacy risks.”

Fox News host Laura Ingraham spent her show last night talking about the horrific shooting at a high school in Parkland, Florida that left 17 people dead. But she devoted 6 full minutes of her program to just how “safe” the AR-15 assault rifle is. Seriously.

Ingraham, complete with an Ash Wednesday cross on her forehead, talked with her guest Aaron Cohen about how guns are “very dangerous in the hands of the wrong person,” but said that guns like the AR-15 are actually very “safe.”

“You have a less likelihood of sporadic fire or hitting innocent people if you’re using it for home defense because it shoots really straight,” Cohen said of the AR-15, extolling the features of the weapon.

“So it’s actually a very safe weapon, it’s easier to shoot than a pistol,” Cohen continued.

The AR-15 is the same rifle that was used in yesterday’s shootings in Florida, not to mention the shootings in Aurora, Colorado in 2012 (12 dead, 70 injured), Newtown, Connecticut in 2012 (20 children between the ages of 6 and 7-years-old dead, 6 adults dead), San Bernardino, California in 2015 (14 dead, 22 seriously wounded), Sutherland Springs, Texas (26 dead, 20 injured) and Las Vegas (58 dead, 851 injured).

“It didn’t take him long to go right to gun control,” Ingraham said after airing a clip of Democratic Senator Chris Murphy. Murphy correctly pointed out on the US Senate floor yesterday that these shootings simply don’t happen in countries where guns are tightly regulated.

But Ingraham would have you believe that any restrictions on the sale of the AR-15 in America would be silly, because the gun is so wonderful.

“If you’re not trained, and if you have a criminal disposition—a violent disposition—it can be turned into a killing machine. But [Senator] Chris Murphy wants to make it all about the weapons,” Ingraham said.

To say that the AR-15 can “be turned into” a killing machine is wholly disingenuous. The AR-15 is a killing machine. That’s literally what it is designed and manufactured to do, kill people. But she and her guest kept insisting during the nauseating segment that it’s ultimately a perfectly safe thing for Americans to keep in their homes.

“There is a mental health epidemic here, which is being confused for a gun problem,” Cohen said on Fox News with a straight face.

“Where are the parents?” Cohen asked, presumably about the parents of the alleged gunman Nikolas Cruz.

You can watch the entire Fox News segment on YouTube if you have the stomach for it right now.

If it feels like we’ve been here all before, that’s because we have. It’s hard not to feel hopeless as this happens over and over again. And it’s hard not to get angry at people like Ingraham who go on TV to assure you that it’s not about the guns, it’s about this abstract notion of “mental health.”

The rest of the world has plenty of people with mental health problems. But no other country watches their children regularly slaughtered by guns on TV the way that America does.