#5 – Spectre and Gwyneth Paltrow

LISTEN-NOW-DIY-CYBERGUYUnderstanding the Spectre and Meltdown vulnerabilities is complicated, so we use an old Gwyneth Paltrow movie to help explain why this is happening. And, if you are buying a new computer, we explain why to avoid Intel (for now); the problem with some of their chips may take years to redesign. We answer many listener questions, including a Facebook Messenger attack that is going around (again), a security product that you should uninstall if you have it, and we will explain a new crypto-mining attack that could make you…WannaCry. We announce a free chapter from my book, Digital Habits, is now available, plus you can now listen to DIY Cyber Guy on your favorite Podcatcher, including iTunes, Google Play, Stitcher, and Overcast!

itunes google player stitch over listen

Meltdown

John New Zealand I use my computer as a tool for my business. Do I really have to worry about an industry problem like Meltdown? Yes
Malcolm San Jose I’m a CPA, not a computer expert, but I definitely understand computers. What I don’t understand is how a virus like Meltdown can effect almost every computer, and every smartphone, and every tablet? Given that there are many different hardware manufacturers and software companies, how can one virus effect them all? it not the CPU. its how CPU’s are designed. Maximum speed = cheat. Gwyneth Paltrow- sliding doors

It’s not a virus, and it’s not an attack, but it will be. There are now 139 samples separate malware samples related to the CPU vulnerabilities, some by hackers, some by anti-virus companies. http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

It’s a vulnerability. Computer systems are vulnerable to and attack IN THEORY because of one of the techniques that chip manufacturers use to make chips run fast.

Branch speculation – can be used to steal data like passwords, bank information – anything.sliding doors

EXAMPLE: This is about how CPU’s are designed. Maximum speed = cheat. Gwyneth Paltrow – Sliding Doors example. (Gotta listen to the netcast for details).

Google found the problems – and they are NOT THE SAME!!

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Google also found a way to ‘fix’ Spectre without impacting your performance:

https://www.blog.google/topics/google-cloud/protecting-our-google-cloud-customers-new-vulnerabilities-without-impacting-performance/

The vulnerabilities come in three variants, each of which must be protected against individually. Variant 1 and Variant 2 have also been referred to as “Spectre.” Variant 3 has been referred to as “Meltdown.”

Surprisingly, these vulnerabilities have been present in most computers for nearly 20 years. Because the vulnerabilities exploit features that are foundational to most modern CPUs—and were previously believed to be secure—they weren’t just hard to find, they were even harder to fix. For months, hundreds of engineers across Google and other companies worked continuously to understand these new vulnerabilities and find mitigations for them.

In September (2017), (Google) began deploying solutions for both Variants 1 and 3 to the production infrastructure that underpins all Google products—from Cloud services to Gmail, Search and Drive—and more-refined solutions in October.

While those solutions addressed Variants 1 and 3, it was clear from the outset that Variant 2 was going to be much harder to mitigate.

Again, Meltdown is fixed – biggest cost is processing speed; just keep running the updates.

But, Spectre is a different story:

Spectre Update (Meltdown fixed)

Hair on Fire 5 of 5

Everyone – heads up.

Good News:

Google fixed.

Apple

Windows OK

No Exploits ‘in the wild’

Not remote (yet)

New Tools to use to see if you are at risk:

Windows:

Inspectre: https://www.grc.com/inspectre.htm

Ashampoo: https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker

Or Google “ashampoo spectre”

Apple– OK for now; they are waiting for Intel to get the fix right.

…because Intel got it wrong:

Bad News:

If you have any other computer operating system – STOP running updates for now.

Intel really has a problem. Their updates ‘bricked computers’

http://nymag.com/selectall/2018/01/windows-pushes-patch-rolling-back-intel-spectre-bug-fix.html

Reluctantly advising not to buy any computer that has an Intel chip. Oversimplification? Yes. But this problem will last for a while because it has to do with the architecture of Intel chips. If you have to, buy Chromebook. Why? Mitigated.

RECAP

Still hair on fire 5 of 5

Run your updates on Windows and Apple

Stop updating other OS’s – do Google searches and listen to this show to know when it is OK.

Don’t by Intel for a while. Sorry.

 

Russia and Company

Vladimir Moscow I have Kaspersky INTERNET SECURITY . Should I uninstall it?

Yes.

Kaspersky Labs In the news again. Kaspersky has their cybersecurity software installed on 400 million computers worldwide

1) In mid-September 2017, the US government stopped buying Kaspersky, and gave civilian agencies 90 days to uninstall.

https://www.cnbc.com/2017/09/14/confusion-hits-consumer-market-over-us-ban-of-kaspersky.html

2) In December 11, the ban was formalized in a defense spending bill, and applied the back to all civilian and military networks.

According to Reuters:

Democratic Senator Jeanne Shaheen, who led calls in Congress to scrub the software from government computers , said, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue.”. She added that the company’s software represented a “grave risk” to U.S. national security.

https://www.reuters.com/article/us-usa-cyber-kaspersky/trump-signs-into-law-u-s-government-ban-on-kaspersky-lab-software-idUSKBN1E62V4

3) Washington post article 3 days later:

(a court document) of them shows that in April 2015, an FSB agent inside the office of Kaspersky Lab in Moscow gave a company technician a password for a suspected Russian cyber criminal’s computer. The technician gained access to the computer and obtained decrypted documents for the agent.

The agent, A.V. Kutasevich, worked side-by-side with the Kaspersky technician, Russian Sabitov, in the “information retrieval” operation, according to the document, dated April 28, 2015.

Though American cybersecurity firms sometimes provide technical assistance to the FBI in criminal investigations, the close cooperation between Kaspersky Lab and the FSB raises eyebrows at a time when the Russian firm’s software products have been banned by the U.S. government out of concern they can be exploited as a platform for Russian spying.

https://www.washingtonpost.com/world/national-security/court-document-points-to-kaspersky-labs-cooperation-with-russian-security-service/2017/12/13/14ba9450-df42-11e7-bbd0-9dfb2e37492a_story.html?utm_term=.f6350f018892

4) It’s getting harder and harder to justify using many antivirus software products. Got to recommend uninstalling any Kaspersky product until we have new information about their company and their practices. Hair on Fire: 2 of 5

Get it done; don’t panic.

Cryptocurrency Mining:

Jessica in Shreveport, LA:

I enjoyed your episode on Coinhive (Cryptocurrency mining software, EPISODE: New Tinder Hack, A Crypto Heist, And Bitcoin ‘Creep’ – February 1, 2018). I thought that anything that could that make your computer work on Bitcoin is actually a virus. Is that true? This may be a stupid question.

No, Coinhive is code written especially for developers to insert into their websites or digital advertising to make your computer mine Bitcoin. Some uses are legit, some are not.

BUT a cybersecurity company called Proofpoint found a nasty little bug that is ‘infecting’ computers with the same type of code. Remember WannaCry – the ransomware that caused havoc last year – it used a leaked vulnerability called EternalBlue to deliver the ransomware into computers. Apparently, there are still unpatched computer out there, because hackers are using the SAME vulnerability to deliver a cryptocurrency mining product on Monero (not Bitcoin)

According to Proofpoint:

Even with recent volatility in the price of most cryptocurrencies, especially Bitcoin, interest among mainstream users and the media remains high. At the same time, Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value (Figure 1), putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions. Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which has earned millions of dollars for its operators.

Proof point continues:

The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely [extremely large]. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M).

https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

Fix – run your updates! EternalBlue is long-since patched, but only if you run the update provided by Microsoft and other companies.

Net Neutrality

Melissa from NJ: I heard NJ has net neutrality again. Is that right?

Not exactly

Governors

California, NY State, Montana and now New Jersey

Using purchasing power to enforce net neutrality within their states.

https://arstechnica.com/tech-policy/2018/02/isps-must-follow-net-neutrality-in-new-jersey-governor-declares/

The executive order says that New Jersey state agencies may only buy Internet service from ISPs that adhere to net neutrality principles. But the net neutrality protections will cover ordinary residents as well as government officials. That’s because the order says that “adherence to ‘net neutrality’ principles means that an ISP shall not [violate the rules] with respect to any consumers in New Jersey (including but not limited to State entities).”

ISPs doing business with the state would not be allowed to block or throttle lawful Internet traffic for any consumer in New Jersey. Paid prioritization will also be off-limits. The order will apply to ISPs that accept state contracts on or after July 1 of this year.

Also…

“We may not agree with everything we see online, but that does not give us a justifiable reason to block the free, uninterrupted, and indiscriminate flow of information,” Murphy in his announcement. “And, it certainly doesn’t give certain companies or individuals a right to pay their way to the front of the line. While New Jersey cannot unilaterally regulate net neutrality back into law or cement it as a state regulation, we can exercise our power as a consumer to make our preferences known.”

https://arstechnica.com/tech-policy/2018/02/isps-must-follow-net-neutrality-in-new-jersey-governor-declares/

UNLIKELY ALLY: Burger King?!?

https://www.youtube.com/watch?v=ltzy5vRmN8Q

TESTERS: Do testers work?

http://www.testyourinter.net/

RECAP

Hair on Fire 1 of 5

Say thanks to your governors

Jackpotting!

Doug, Connecticut: I have heard that hackers are stealing money directly from ATM’s. Is my money at risk?

Thieves turning ATM’s into slot machines with a virus.

https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Hair on Fire = 0 of 5. Thieves will be using a long camera to plug in their equipment. But, if you saw that, you would walk away anyway because it would probably happen when the bank is not open.

Facebook Video hack

Ella in Massachusetts

All of my Facebook friends received a message from me on FM Messenger with a video. When they clicked the video, every one of THEIR friends got the same message. What should I do?

First – stop using the device where you clicked the video. Put it in airplane mode, then Turn it off (power down) and set it aside. You probably downloaded malware on that device .

Next, log in to FB using another device. Now change your FB password. https://www.facebook.com/help/213395615347144

Now, turn on 2-factor authentication: https://www.facebook.com/help/148233965247823

Look for the message in Messenger. If you see it, delete it. You may also see it on your timeline; delete that, too.

Send a message to everyone telling them not to watch any video they get from you.

Now turn on the device you turned off in step 1. Check you are still in airplane mode. Now you have to see if you have malware on that device, and how to fix it.

https://www.cnet.com/how-to/how-to-tell-if-your-facebook-has-been-hacked/

PREVENTION: Never launch a video, or click a link, that you didn’t ask for, or did not check. If you see a video or link that someone is asking you to click – go out of band and check with them.

Published by

David W. Schropfer

David W. Schropfer is the CEO of AnchorID, Incorporated, a cybersecurity company in New York (www.AnchorID.com).  Every day, he and his team of professionals keep the people who use AnchorID safe from some of the most common traps, hacks and attacks that target computer systems of all sizes. David’s previous books, including The Smartphone Wallet and three industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.