Meltdown, Spectre and BSOD

Source: Trace Bellassai, Client Operations Engineer

In the time since we last visited Meltdown and Spectre, patches have been released in a frenzy to try to make your devices more secure. In that frenzy, however, some problems with the patches were not caught before they were released to users. At least that was the case with Microsoft and Windows 10.

As people applied the patch for Meltdown, they began to see their systems stuck and unable to boot, or crashing with a BSOD. Microsoft realized this relatively quickly and found the issue to be antivirus software making unsupported calls into the Windows kernel memory. Up until now, though it was not a supported call, it worked due to kernel table sharing user memory space. Patching Meltdown means separating the kernel table from user space, hence breaking a method used by many antivirus software applications. In order to prevent these boot locks and BSOD’s, Microsoft has instructed antivirus software vendors to set a registry value, which would flag Microsoft Update to show that their software will work alongside the Meltdown patch. After this registry value has been set, Microsoft will then allow the patch to be applied. Since Microsoft’s updates are now cumulative, this means this registry value will need to be set to receive any updates going further, at least currently and for the near future. A list of which AV vendors currently support the new patch, as well as which set the registry value required by Microsoft, can be found at the bottom of this post¹, but it is recommended to check directly with your AV vendor for compatibility with the patch.

Many users of older AMD Athlon chips have also reported their systems becoming un-bootable after applying the Microsoft Meltdown updates. For this reason, Microsoft has delayed pushing the patches to some machines with AMD Athlon chips. This, however, does not seem to be exclusive to AMD. Intel recently released a statement that they have received reports of reboot issues after applying firmware updates to Broadwell and Haswell CPU’s. Intel is currently working with customers to diagnose and resolve this issue and recommends users continue to install available security updates.

Since Spectre “tricks” one program into disclosing secrets to another, it is important to not only update your operating systems and firmware, but update any piece of software you have on your computer. The latest Nvidia drivers included an update to this affect, which was misinterpreted by many to mean that the Nvidia GPU’s are susceptible. Nvidia CEO Jensen Huang has clarified this by stating “I am absolutely certain that your GPU is not affected”, and explaining that the update includes fixes for their software, and not for any GPU vulnerability. Since Spectre uses speculation as to whether it can access an array element, the mitigation recommended by ARM and Intel is to insert serializing instructions between testing the array size and accessing the arrays element. Some vendors, such as Apple, have also begun to obfuscate memory addresses so that if an attempt is made to speculate those addresses, it will speculate the wrong address, which won’t be useful to the attacker.

FoxGuard again recommends keeping all devices and software up to date with current security patches. It is important to get in touch with your antivirus vendor to discover if they are setting the Windows registry values that will allow you to continue to receive Windows updates.

For more information on these vulnerabilities, please see:

¹https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview

https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

https://techcrunch.com/2018/01/10/nvidia-ceo-clarifies-its-gpus-are-absolutely-immune-to-meltdown-and-spectre/

http://www.zdnet.com/article/windows-meltdown-spectre-update-now-some-amd-pc-owners-post-crash-reports/

http://www.zdnet.com/article/microsoft-no-more-windows-patches-at-all-if-your-av-clashes-with-our-meltdown-fix/

https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/

Transient Cyber Assets and NERC Regulation

One of the most difficult challenges for any security team is protecting cyber assets that frequently move from one place to another (i.e., are “transient”). The challenge is 2-fold: (1) how an organization protects against what can happen when a transient system moves to a network that has inadequate security controls and (2) how an organization protects against what can happen when a transient system moves to a network that contains critical infrastructure or other sensitive assets. If not properly managed – transient systems can become a high-risk attack vector for compromising critical infrastructure. Due to organizational silos in large utilities there are often multiple different versions of TCA’s inside organizations increasing the attack surface. Recognizing this risk, the North American Electric Reliability Corporation (NERC) recently introduced enhanced requirements in its Critical Infrastructure Protection (CIP) standards to ensure regulated entities minimize the risk TCA’s can pose to critical infrastructure. NERC CIP 10-2 Requirement 4 documents the new requirements.    

  • Transient Cyber Asset Management (e., introduce management to ensure compliance with applicable requirements)
  • Transient Cyber Asset Authorization (e., introduce management to ensure TCA’s are used only to perform business functions)
  • Software Vulnerability Mitigation (e., introduce one or more methods to mitigate vulnerability risk)
  • Introduction of Malicious Code Mitigation (e., introduce one or more methods to mitigate risk from the introduction of malicious code) 
  • Unauthorized Use Mitigation (e., introduce one or more methods to mitigate risk from unauthorized use) 

NERC affected entities must now extend their security program to improve the security posture of transient cyber assets (TCA’s). Although many NERC guidelines may be prudent for TCA’s – there are now specific requirements that affected organizations must address. Through the introduction of process and technology – organizations must now ensure that all software on TCA’s are known, appropriately patched, and scanned for vulnerabilities. Also. TCA’s must include specific security solutions like anti-virus, application whitelisting, and more. Meeting these objectives on systems that are dynamic may seem daunting for affected organizations. To meet the requirements organizations need to re-think management of their TCA’s – and greatly improve their security posture. Organizations should look to institute operational procedures that ensure TCA’s are as secure as possible. One approach to meet this objective is introducing an automated “Gold Image” approach where every TCA periodically meets a defined security baseline. From there additional automated tools can be leveraged to ensure the systems have not moved away from the baseline nor introduced additional high-risk software or vulnerabilities.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

 

Spectre and Meltdown – New Vulnerabilities Exposed

Source: Trace Bellassai, Client Operations Engineer

NEW VULNERABILITIES
Details have recently been released on a hardware vulnerability in several different Central Processing Units (CPU’s). These vulnerabilities affect Intel, AMD, and ARM CPU’s, though at this time it would appear that Intel is more susceptible to attack using these vulnerabilities. The vulnerabilities have been given the names “Spectre” and “Meltdown” by the researchers who discovered them. These are actually two separate, but related, vulnerabilities. At the time of this writing, the Department of Homeland Security’s Computer Emergency Readiness Team is not aware of any active exploitation of these vulnerabilities.

SPECTRE
Spectre, which affects nearly all modern CPU’s, is actually a term that refers to two vulnerabilities, a bounds check bypass, and a branch target injection. These vulnerabilities can be used to break program isolation, meaning that it can allow one program to “talk” to another in ways that were not intended by the software designer. This can lead to one software tricking another into revealing “secrets” such as passwords. Since the vulnerability exists at a hardware level, even error-free software designed with current best coding practices is still susceptible. The branch target injection attack leaves open the possibility to read memory from services such as a hypervisor. This has major impacts for cloud providers, which often use extremely powerful systems, and then segment out resources on the same machine to multiple customers by using a hypervisor. Using Spectre, an attacker could potentially infect a virtual system used by customer A, and extract data from the virtual system of a completely separate customer B, simply because they share a system from the same cloud provider. Spectre is harder to exploit, but is also harder to patch.

MELTDOWN
While Spectre allows one application to steal sensitive information from another, Meltdown is a different case. Meltdown, which affects Intel CPU’s (produced after 1995), and largely is ineffective against AMD and ARM (though it’s possible the new ARM Cortex A-75 is affected), allows for the possibility of accessing privileged kernel memory from user space. Daniel Gruss, one of the researchers who discovered the vulnerability, referred to it as “probably one of the worst CPU bugs ever found”, and it’s easy to see why he would say this. With Meltdown, the attacker does not need to target a specific piece of software for attack, but rather can attack the operating system itself to extract secrets. This opens up the possibility for any information being processed by the CPU to potentially be stolen. Meltdown is easier to exploit than Spectre, but is also easier to patch, with a caveat. The way Meltdown would be patched is by separating the kernel table from user memory space. The kernel table is held in user memory, but is access protected. Meltdown, however, bypasses this protection. Separating them out would be the easiest way to mitigate the vulnerability, but could also deliver performance hits, reducing performance by up to 30% for some tasks.

HOW PROTECT YOUR SYSTEM
Both of these vulnerabilities need code to be executed on the host machine for an exploit to take place. This likely means that a different vulnerability will need to be exploited for the code to be executed unknowingly. FoxGuard would like to stress how important it is to not run programs, or insert USB devices from unknown or unreliable sources. Patches are being developed, or have been developed for both Spectre and Meltdown. Patching will also minimize the attack surface for an attacker to execute the code required to exploit Spectre and Meltdown. Therefore, as always, FoxGuard recommends staying as up to date as possible with current security patches by using a robust patch management solution. Many Linux distributions, as well as Android, Microsoft, and Apple have already released patches to mitigate one or both of the vulnerabilities. Major cloud providers, such as Amazon, Google, and Microsoft have also stated that they have already deployed patches as well.

The best place to check for these updates will be the hardware vendor sites (Dell, HP, etc) as well as operating system vendor sites, and update tools built into your operating system. Please reach out to your vendor if you need assistance in locating these patches.

More information can be found using the below links:

https://googleprojectzero.blogspot.com/2018/01/
https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
https://spectreattack.com/
https://techcrunch.com/2018/01/03/kernel-panic-what-are-meltdown-and-spectre-the-bugs-affecting-nearly-every-computer-and-device/

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

 

2017 Year In Review – Hacking your power tools

FoxGuard was pleased to be included in the list of top Archer News stories from 2017.  Archer News traveled the world in 2017 and found FoxGuard’s very own Monta Elkins presentation, “Disassembly and Hacking of Firmware Where You Least Expect It:  In Your Tools”, to be among the top of the highlight reel of 2017 security news.  Watch here and pay close attention around the 0:52 mark.  

Source:  http://www.archersecuritygroup.com/year-review-traveling-hacking-spam/

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Securing Transient Cyber Assets – 5 things to consider

SECURING TRANSIENT CYBER ASSETS – 5 THINGS TO CONSIDER

One of the most difficult challenges for any security team is protecting cyber assets that frequently move from one place to another (i.e., are “transient”.

 

 

Deadline for Federal Contractors and Subcontractors, Protecting Unclassified Information

Deadline for Federal Contractors and Subcontractors

 

December 31, 2017 marks the deadline for compliance with NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

 

Controlled Unclassified Information (CUI) is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended”. (1)  A Nonfederal Information System is an information system that does not meet the criteria of a Federal Information System, namely, “used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency”.  A Nonfederal Organization is “an entity that owns, operates, or maintains a nonfederal information system”, including federal contractors and subcontractors, State and local governments, colleges and universities, and independent research organizations.  CUI categories include (but are not limited to) Controlled Technical Information, Critical Infrastructure Information, Information Systems Vulnerability Information, Procurement and Acquisition, and Proprietary Business Information. 

 

The requirements in NIST SP 800-171 are derived from FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, and the moderate security control baseline in NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, both of which are part of the Risk Management Framework (RMF).  NIST SP800-171 includes requirements in the areas of Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

 

Federal contract awards are dependent on compliance with NIST SP 800-171.

 

More information on the publication can be found at https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

 

  • Executive Order 13556, Controlled Unclassified Information
  • NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

FOXGUARD SOLUTIONS CYBERSECURITY PROTECTING OUR NATION’S MILITARY BASES

FoxGuard Solutions, Inc. was awarded distinguished Department of Defense and Department of Energy’s  ESTCP Cybersecurity for Building Automation Systems

CHRISTIANSBURG, Va. December 7, 2017 – FoxGuard Solutions, Inc. was awarded a grant from the Department of Defense to develop a “Cybersecurity Platform for Energy Management and Control Systems”. The program is through the Secretary of Defenses Office and is targeted at protecting military installations across the world of cyber-attack.
 
ABOUT ESTCP:  The Program’s goal is to identify and demonstrate the most promising innovative and cost-effective technologies and methods that address DoD’s high-priority cyber security requirements.  

DoD NEED:
The Department of Defense (DoD) is the largest single consumer of energy in the United States. It operates over 500,000 buildings and structures with diverse inventory encompassing barracks, commissaries, data centers, office buildings, laboratories, and aircraft maintenance depots. A majority of these bases are largely dependent on a commercial power grid that is vulnerable to disruption from cyber-attacks, aging infrastructure, weather-related events and direct attack. In an effort to reduce energy costs, increase security and improve energy resiliency, DoD has adopted a cyber security strategy for fixed installations.

FoxGuard Solutions was tasked with researching, developing, and demonstrating technology and techniques to identify and monitor BacNet field controllers for vulnerabilities, continuous monitoring of security controls, identify patches for Building Automation Systems software, hardware and firmware, while also facilitating the deployment of those patches. 

KEY ELEMENTS:
• Building Automation System Asset Discovery
• BacNet Vulnerability Scanning
• Patching Building Automation Systems
• Continuous Monitoring of Cyber Security Controls

The program is based around the Risk Management Framework (RMF) to help DoD control system owners continuously monitor Building Automation Systems for vulnerabilities. 

AboutFoxGuard Solutions, Inc.:
FoxGuard Solutions develops custom cyber security, compliance and industrial computing solutions. FoxGuard provides reliable, secure and configurable patch management reporting services, which include availability reporting and applicability analysis for information technology (IT) and operational technology (OT) assets used in critical infrastructure environments. 

 

 
Media Contact 
Marcie Killen
Marketing Manager
p. 540.382.4234 x152

FoxGuard Solutions CyberSecurity protecting our nation’s Military bases

FoxGuard Solutions, Inc. was awarded distinguished Department of Defense and Department of Energy’s  ESTCP     
Cybersecurity for Building Automation Systems
CHRISTIANSBURG, Va. December 7, 2017 – FoxGuard Solutions, Inc. was awarded a grant from the Department of Defense to develop a “Cybersecurity Platform for Energy Management and Control Systems”. The program is through the Secretary of Defenses Office and is targeted at protecting military installations across the world of cyber-attack.
 
ABOUT ESTCP:  The Program’s goal is to identify and demonstrate the most promising innovative and cost-effective technologies and methods that address DoD’s high-priority cyber security requirements.  

DoD NEED:
The Department of Defense (DoD) is the largest single consumer of energy in the United States. It operates over 500,000 buildings and structures with diverse inventory encompassing barracks, commissaries, data centers, office buildings, laboratories, and aircraft maintenance depots. A majority of these bases are largely dependent on a commercial power grid that is vulnerable to disruption from cyber-attacks, aging infrastructure, weather-related events and direct attack. In an effort to reduce energy costs, increase security and improve energy resiliency, DoD has adopted a cyber security strategy for fixed installations.

FoxGuard Solutions was tasked with researching, developing, and demonstrating technology and techniques to identify and monitor BacNet field controllers for vulnerabilities, continuous monitoring of security controls, identify patches for Building Automation Systems software, hardware and firmware, while also facilitating the deployment of those patches. 

KEY ELEMENTS:
• Building Automation System Asset Discovery
• BacNet Vulnerability Scanning
• Patching Building Automation Systems
• Continuous Monitoring of Cyber Security Controls

The program is based around the Risk Management Framework (RMF) to help DoD control system owners continuously monitor Building Automation Systems for vulnerabilities. 

AboutFoxGuard Solutions, Inc.:
FoxGuard Solutions develops custom cyber security, compliance and industrial computing solutions. FoxGuard provides reliable, secure and configurable patch management reporting services, which include availability reporting and applicability analysis for information technology (IT) and operational technology (OT) assets used in critical infrastructure environments. 

 

 
Media Contact
Marcie Killen
Marketing Manager
p. 540.382.4234 x152

Information Assurance 101

“Headlines over the past 24 months have cited security breaches in Anthem, the Philippines’ Commission on Elections (COMELEC), Wendy’s, LinkedIn, the Red Cross, Cisco, Yahoo, financial institutions around the world, and even the U.S. Department of Justice. As well, statistics show that 43% of cyberattacks target small businesses. Earlier this year, a high school server system in Illinois was infiltrated and the perpetrator attempted to extort the district for $37,000 in order to restore their access to the information on the servers.

What is Information Assurance, and why should we care?”

 

(more…)

UAE RoHS is Effective 1/1/18 for IT Equipment

Despite the lack of clarity of information that the United Arab Emirates regulating authorities provided until recently, despite lobbying by industry associations for an extension, and despite the fact that nobody is actually going to have certified products by the first of the new year, UAE authorities are adamant about the “in force” date of January 1, 2018.  However, they have made the following concession:

Companies must register before the deadline in ESMA portal and submit applications for ECAS or EQM and, as a minimum, submit the company’s documented “Risk assessment” process as well as the signed “Declaration of Compliance” form.  Companies who register before January 1, 2018 and have submitted applications with the minimum documentation listed above will be able to continue to import their products come 2018.

Michael Kirschner, President of Design Chain Associates (1), writes in the DCA December 2017 Newsletter:  “There are multiple examples of regulators trying to regulate the electronics industry without really working with the industry to understand it first. China’s attempt to make everyone test every part in Chinese government labs in 2009 as they attempted to implement the restriction phase of ’China RoHS’ was a great example; this is another. Not that the electronics industry has a one-stop-shop for regulators to speak with that represents any significant chunk of this industry…rather than stepping away from environmental performance, the industry needs to own it to prevent this sort of failure that costs everyone time and money.”

Key points of the UAE RoHS regulation include:

  • Among the products in scope are PC’s and peripherals, laptops, printers, “other products / equipment for collection, storage, processing, presentation or communication of information by electronic means”, and “other products or equipment of transmitting sound, images or other information by telecommunications”
  • The restricted substances are the same as EU RoHS; however, the application and certification process is much more rigorous
  • Applicant must have UAE trade license
  • There are two conformity assessment options:
  • Mandatory under ECAS, valid for one year only
  • Model H under EQM

 

Details of the regulation can be found on ESMA’s website, at http://www.esma.gov.ae/Documents/Restriction%20on%20Hazardous%20Substances.pdf