A Spectre flaw solution, Cloudflare blips, a bank cyber-heist in Canada, and more in infosec land

Also, the SEC takes aim at another shady ICO

Spectre logo jazzed up

Roundup While we were busy chasing SpamCannibals, jailing Yahoo hackers, and blaming North Korea for everything else, there was some interesting security news going on.

Let's have a look at some of the stories that didn't quite make Reg headlines.

Boffins float a (sort of) fix for Spectre bug

A group of researchers from TU Dresden in Germany have outlined a mitigation for one of the more daunting engineering problems associated with the Spectre-class of processor chip vulnerabilities.

The group explains how its fix could address the Bounds Check Bypass (aka Variant 1) issue in Spectre while still maintaining some decent performance on the patched CPU.

The researchers say that, rather than serializing all instructions, they have a method to flag and delay certain instructions that could be vulnerable to exploitation, while continuing to process other instructions as before.

By doing so, the researchers claim, they can remedy the Variant 1 vulnerability by merely slowing down performance by about 60 per cent. That's not great, but it's better than the possible 440 per cent increase in processing time that could be caused by fully serializing the chips.

Bank hackers grab financial data on 90,000 Canadians

About 90,000 of America's polite upstairs neighbors have had the misfortune of getting their banking information lifted by hackers.

The CBC reports that hackers were able to get into the networks of two major Canadian banks and pilfer tens of thousands of customer records, including account numbers, balances, passwords, and social insurance numbers.

Both Simplii and Bank of Montreal were targeted in a ransomware attack. When the banks refused to pay the $1m cryptocoin bounty, the hackers went public and provided the information to the press.

While the banks have vowed to cover any losses customers incur from the hack, the entire incident has some in Canada questioning the security infrastructure for all banks in the country at a time when many are reporting record profits.

Cloudflare DNS takes a couple minutes off

It's not exactly a major outage, but it should be noted that, for a very brief time earlier this week, Cloudflare's DNS service was offline.

The edge network specialist says that it was not an attack that brought down its 1.1.1.1 service for a whopping 17 minutes on Thursday, but rather a false alarm that triggered its Gatebot security tool into thinking something was wrong.

Apparently, Cloudflare explained, Gatebot wasn't able to properly handle requests in the range of its DNS service.

"The effect was that, after pushing the new code release, our systems interpreted the resolver traffic as an attack," Cloudflare explained.

"The automatic systems deployed DNS mitigations for our DNS resolver IP ranges for 17 minutes, between 1758 and 1813 May 31st UTC. This caused 1.1.1.1 DNS resolver to be globally inaccessible."

Cloudflare says the issue should now be fixed, so nobody else will be getting a very short vacation from the internet any time soon.

Also, earlier this week, a BGP leak affected the 1.1.1.1 service. The hijack lasted for about a minute, no DNS lookups were lost or affected, we're told, and it was probably a typo: an engineer used 1.1.1.1 as a placeholder and crashed into Cloudflare's systems.

SEC looks to bust up $21m ICO outfit on scam charges

Stop us if you've heard this one: an initial coin offering is suspected of just being a massive scam.

This time it's Titanium Blockchain Infrastructure Services that finds itself in the crosshairs of SEC – America's financial watchdog. The regulator said it had obtained an emergency order to halt the company's ICO as the agency pursues charges of fraud.

The SEC claims that the company's president, a self-described "blockchain evangelist" named Michael Stollaire, had been drumming up hype for the coin offering by lying about the company having the backing of the Federal Reserve as well as corporate giants like Verizon, Disney, and Boeing.

The ICO had hoped to bring the company about $21m in proceeds from coin sales. That offering, however, is now on hold.

"This ICO was based on a social media marketing blitz that allegedly deceived investors with purely fictional claims of business prospects," said SEC Enforcement Division chief Robert Cohen.

"Having filed multiple cases involving allegedly fraudulent ICOs, we again encourage investors to be especially cautious when considering these as investments."

Quick links

  • The Qihoo 360 Vulcan Team found a remote-code execution hole in EOS Node, a component of the open-source blockchain platform.
  • The super-privileged System Management Mode in Intel-based computers can be potentially accessed via Spectre variant 1 and 2 vulnerabilities in chips, researchers claim.
  • Three quarters of Redis servers left open to the public internet are infected with malware, according to Imperva.
  • And three quarters – 71 of 96 – US federal government agencies' cybersecurity efforts and projects need improving because they are a risk or high risk, auditors stated in a damning report this month.
  • Arlo security camera owners were urged to change their passwords after miscreants were discovered using user credentials leaked from other unrelated services to access Arlo accounts – so-called credential stuffing.
  • Ticketfly, owned by Eventbrite, was compromised, its website defaced to read "HacKeD By IsHaKdZ," and some customer information was swiped and exposed to the internet, and 1 Bitcoin was demanded by the miscreants responsible.
  • Google has detailed Android's security mechanisms for preventing malicious firmware from being installed in Pixel 2 smartphones – the code that checks the owner's password to decrypt information cannot be changed unless a correct password is supplied.

Apple drops a round of updates

Just in case your Mac, iPhone or AppleTV hasn't warned you yet, there's a fresh round of security updates from Apple that you will want to install.

For MacOS, the fixes will be available as High Sierra 10.13.5, Security Update 2018-003 Sierra, or Security Update 2018-003 El Capitan. The update includes fixes for the S/MIME encryption flaw, a remote code execution bug in Nvidia's graphics drivers, and three different remote code flaws in the MacOS kernel.

For iOS, the update will be seen as iOS 11.4, and the Apple Watch as watchOS 4.3.1. On AppleTV it will be tvOS 11.4.

Even Windows users will want to be on the lookout for Apple fixes. iCloud for Windows 7.5 includes patches for 16 CVE-listed vulnerabilities in the security and Webkit components of the cloud software. ®

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018