Spectre-Part 2

Earlier this year, the industry had the opportunity and pleasure to begin working through Meltdown and Spectre vulnerabilities and potential attacks. The remediation for these is still being researched and applied for each use case. These had the potential to be devastating for a target.

As with any successful proof of concept or attack, once the remediation has been identified, new variants designed to evade the original detection are generally created to continue the attacks in a successful manner. This is not unusual as this side of the business has been operationalized as a business. The attacker naturally noted this exploit would work and thus modified the code for the updated version. The new exploit has been named Spectre Next Generation or Spectre-NG.

Remediation

The new variant continues to be rather significant. Intel, as of March 2018, was working on the patches for this. The patches are to be pushed in May and August 2018. This has been worked on intently as Intel is focussed on protecting their customer’s data.

Targets

The next iteration of this attack is fully capable of being used against both consumer and corporate enterprise computer systems. Although the potential target database is rather large, this attack is not likely to be used in a mass or large-scale attack. The research, however, noted the cloud and multi-tenant service providers may be at a higher risk of attack.

As with the prior vulnerability, this will be patched and remediated in due time. Until this junction, the potentially affected parties need to exercise a bit more care.

Resources

Kovacs, E. (2018, May 4). Intel working on patches for 8 new spectre-like flaws: report. Retrieved from https://www.securityweek.com/intel-working-patches-8-new-spectre-flaws-report

Schmidt, J. (2018, March 5). Exclusive: Spectre-NG-Multiple new intel CPU flaws revealed, several services. Retrieved from https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-services-4060648.html

Tung, L. (2018, May 4). Are 8 new spectre-class flaws about to be exposed? Intel confirms its readying fixes. Retrieved from https://www.zdnet.com/article/are-8-new-spectre-class-flaws-about-to-be-exposed-intel-confirms-its-readying-fixes

We Truly Need to Learn From Our Mistakes

“Those who cannot remember the past are condemned to repeat it.” -George Santyana





In the InfoSec field, the professionals strive to protect the enterprise, create or update processes to secure the users as much as possible, and if an issue falls through the cracks, to analyze the issue with a forensic lens. Although this sounds like a pretty simple process, this is rather complex with the number of persons and departments involved, all of which have to agree.


One particular area of our operations which tends to be frustrating involves breaches. Occasionally things happen and users click on something (link, picture, etc.) they truly should not have. The lure may be an enticing picture, promise of a package delivery, or virtually any other topic. When, however, this happens repeatedly, especially after the increase in training and announcements, the InfoSec Department begins to wonder what are the users thinking, what can be done so this does not happen again. These thoughts are meandering through the InfoSec mind all the while remediating, or attempting to, the issue. Depending on the compromise, this may be re-imaging a workstation, analyzing effects on a server farm, or simply taking a moment to ponder “Why me?”


An incident like this occurred in Texas recently. This involved ransomware being introduced into the Riverside Fire and Texas Police Department computer servers (http://www.ehackingnews.com/2018/05/texas-police-department-server-again.html). This attack occurred on May 4th of 2018. Ransomware is well-known and used throughout the globe. The issue compounding this was the police department was a victim of ransomware attack previously on April 23rd of 2018. With the initial attack, the police department lost approximately 10 months of sensitive data generated by on-going investigations. In this latest attack, the ransomware was coded to lock the files and delete others located on the affected server.


In this case, the police department did not pay the ransom and was able to recover some of the data. The police department finally had learned their lesson with this set of operational exercises. There is a backup protocol in place, and the admin staff only had to re-enter approximately eight hours of work.


The initial attack vector was the simple phishing email, however, the second attack’s method of successful delivery is unknown. This emphasizes the need for communication and staff training. To supplement this, there may be an internal, entity-based phishing campaign. The results of this may also be used as another training tool and opportunity.

Include InfoSec into the DevOps Stack for Optimal Solutions

Information security’s place in society is well-known and published. There is no doubt to most people the extent of the pertinence with this. The rather large, and far-reaching effects of breaches in the last few years have been on the news, in newspapers, blogs, journals, and many other reputable sources. These have affected millions of people repeatedly, along with banks and other secondary victims.


One aspect of this dilemma not receiving a large amount of press is the software development process itself. In developing software, there is a specified process to follow, and in theory, this should, when followed, produce a solid application which functions well.


One area of this development not sufficiently applied involves InfoSec. An issue with this occurs when, at the end or near the end of a project, the project leaders decide to contact the InfoSec Department and then asks for assistance in the project. This has occurred too many times and simply creates a mess.


Seemingly, everyone knows it makes financial and operational sense to have InfoSec involved from the beginning of a project. As the project advances, InfoSec would have the opportunity to have their input through the project. The InfoSec best practices are able to be put in over time. Without this taking place, the earlier steps or gates requiring InfoSec to be in place would need to be revisited, which would cost more to fix. The construction of a home as an analogy would be appropriate. To properly construct the plumbing while the construction is ongoing is significantly easier in comparison to trying to fix this when the home is complete or nearly so.


This has been documented with the 2016 Forrester Research study. While the software is in the process, the average amount of time to correct an issue was five hours. With the defect being corrected when the software is in the final testing phase, the required time on average to fix this was 5-7x longer. This is further exasperated when the product was already to market, with the cost to correct at 10x-15x longer. These extended times to fix issues directly affect operations, increase costs, and decrease any security in the product.


This does not necessarily need to be the case. Simply by involving InfoSec in the initial stages of a project is extremely recommended.

VW compromise an issue again

As technology advances, there are more opportunities for vulnerabilities to be researched and published. These continue to abound throughout the industries using these technologies. With computer chips, there have been the Spectre and other vulnerabilities, and smartphones, Rowhammer, and many others for the different platforms. Vehicles have the same issues, as these are much of the same equipment. There may not be as many issues published, however, there are still critical issues with these.

               These issues, if properly executed, have the overt, direct potential to compromise a vehicle. This could have a rather immediate and drastic effect. Two examples having expansive effects would be locking up the brakes while on the expressway or diverting the vehicle to make an 85-degree turn in rush hour while traveling 70 mph on the way to work.

               These vulnerabilities, when published, creates quite a buzz. With the amount of press these historically have been with each vulnerability, and pertinence these machines play in our life and culture, the focus is only going to grow in attention and depth of importance.

               This coupled with the exponential advances in autonomous drive (AD) and connected vehicles (CV), the connected and autonomous vehicles (CAV) market and vehicle offerings are growing and providing more of a product base to test and more modules to fail.

Infotainment Hacking

               The latest subject vulnerability involves the infotainment system with two VW and Audi vehicles. The infotainment system has been defined as the hardware and software functional modules located in the vehicle, which provides entertainment to the occupants. This is recognized by most consumers by the tv screen/monitor in their vehicle’s dash. Using this module, the consumers are able to access the internet, listen to their music selection, call other parties, review maps, and many other options This system, while exceptional, also has in the past and present, provided access points and vulnerabilities.

               These issues generally are not easy to fix due to the complexities in the modules, the millions of lines of code (LoC), and more to the point, bringing the many groups together to analyze, review, and mitigate the issue.

               For the subject test, the module was tested by the Dutch cybersecurity firm Computest. As the infotainment system was the focal point, the researchers, Daan Keuper and Thijs Alkemade, tested the 2015 Volkswagen Golf GTE and Audi A3 e-tron.

               It is notable that the researchers were responsible for their testing and research publication process. The test was successful in the researchers noted vulnerabilities and were able to execute the exploit. The researchers did not fully disclose their process or finding. With this vulnerability, the issue has to be corrected at the dealership. As this is not able to be fixed with a firmware-over-the-air (FOTA) update, this will take time to implement through the fleet. For the researchers to publish the details of the attack prior to allowing the auto manufacturers adequate to fix this, may have put people in harm’s way.

Report

               The research report itself is freely available online. The link is noted in the resources section Compliments are due to the researchers at Computest. This was well-thought through and organized. The report was presented with a sufficient amount of technical jargon, while still being perfectly digestible by others not in the same sub-industry. The steps used in the report also were laid-out.

               The report had a single question to be researched and answered. This was, from page 8 of the report, “Can we influence the driving behavior or critical security systems of a car via an internet attack vector””

               The short answer was Yes.

Research – Subject Hardware (HW)

               As noted, the focus was on the infotainment system for the vehicle. As for the hardware, this module used a system manufactured by Harman and is known as the Modular Infotainment platform (MIB). The tested hardware was the version 2.  

Research Process

               With any product testing, it is best to know what the subject product or module has to offer. The more data and information, the better as it provides more for the researcher to work with. 

               The initial and basic step was completed with a basic port scan on the VW module. This scan found several ports open, including the telnet port In particular, port 49152 was open and used a UPnP service, which used the Plutino Soft Platinum UpNp. This is an open source app, and happened to be used with the Audi A3 2015 model year.

               As this curiosity was noted, the Audi was also scanned. This model only had two ports open. One of these was 49152 with the same service running. In this particular section of the trust, no exploit was noted with the limited testing that was completed.

               As the testing continued, the researchers found a  vulnerability to exploit. This allowed researchers to read files from the disk and achieve the researcher’s end goal of a remote code execution This allowed for a plethora of other tests and attacks. In short, the researchers got root. With these, the attackers would also be able to toggle on or off the microphone in the vehicle, review the address book, and history of the conversations. This was not fully disclosed due to safety issues. This was acknowledged however by VW.     

               The researchers also analyzed the Renasas V850 chip. This is connected to the CANBus with a serial connector. This manages the CAN communication for the vehicle. The researchers did not test this, however, theorized, with a firmware image, which is not easy to find and secure a backdoor could be placed into the modified firmware, and reflash the image.

But wait, there’s more…

               The research report noted several instances of potential vulnerabilities to be tested. These and others were not tested. The researchers had the opportunity to research and document, however, stopped.

               As they did gain root, a number of these other tests were available to do. An example of this involves the infotainment system. This is indirectly connected to the vehicle acceleration and braking modules, which are targets.

               The researchers ended up ceasing their efforts due to the testing itself. This testing could have involved VW’s intellectual property. The researchers, with continuing the research and testing, may have found themselves working through legal ramifications.

              

Resources

Cimpanu, C. (2018, April 30). Volkswagen and audi cars vulnerable to remote hacking. Retrieved from https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking

Computest. (2018). The connected car: Ways to get unauthorized access and potential implications. Retrieved from http://www.computest.nl/wp-content/uploads/2018/04/connected-car-rapport.pdf

Dunn, J.E. (2018, May 2). Volkswagen and audi car infotainment systems hacked remotely. Retrieved from https://nakedsecurity.sophos.com/2018/05/02/volkswagen-and-audi-car-infotainment-systems-hacked-remotely/  

Information Security Newsletter. (2018, May 1). With this vulnerability you can remotely hack Volkswagen and audi cars. Retrieved from http://www.securitynewspaper.com/2018/05/01/vulnerability-can-remotely-hack-volkswagen-audi-cars/

McGlaun, S. (2018, May 1). VW and audi cars have infotainment systems vulnerable to remote hacking. Retrieved from https://www.slashgear.com/vw-and-audi-cars-have-infotainment-systems-vulnerable-to-remote-hacking-01529071/

Smith. (2018, May 1). Car hackers find remotely exploitable vulnerabilities in volkswagen and audi vehicles. Retrieved from https://www.csoonline.com/article/3269299/security/car-hackers-find-remote-exploitable-vulnerabilities-in-volkswagen-and-audi-vehicles.html

Sussman, B. (2018, May 1). Research: VW and audi cards hacked through infotainment system. Retrieved from https://www.secureworldexpo.com/industry-news/research-vw-and-audi-cars-hacked-through-infotainment-system

Tung, L. (2018, May 1). VW-audi security: Multiple infotainment flaws could give attackers remote access. Retrieved from https://www.zdnet.com/article/vw-audi-security-multiple-infotainment-flaws-could-give-attackers-remote-access/

Wood, D.A. (2018, May 1). Volkswagen and audi vehicles remotely hacked. Retrieved from https://www.carcomplaints.com/news/2018/volkswagen-audi-vehicles-remotely-hacked.shtml

Insider threats are costly

The insider threat is a completely viable attack vector, be this an intentional or unintentional act. In a not significant level, there will be the opportunity for an insider to intentionally steal data via email or the thumb drive as they leave from the workday. There are also the unintentional acts of the hapless worker, answering their emails as they should, however with the addition of clicking on a link or picture from someone they thought they knew.  

The operational effects of these can be trivial with a reimage of a workstation to a full password reset for a global corporation, across several time zones and languages. The costs for this range wildly, depending on the impact, the number of persons involved, type of equipment affected, and types of systems compromised.

A recent study, the “2018 Cost of Insider Threats: Global Organizations”, cited the average annual cost for insider threats at $8.76M. This average cost, however, is still rather significant.

This has the opportunity to affect many facts of business. This includes the loss of confidential data, lack of operations, and productivity, and loss of rapport.

Although this amount of the insider threat compromise will never be zero, there are methods to reduce this to a manageable level. TO succeed and thrive, the company needs to understand the causes of this rampant issue. Beginning in 2016, used as a baseline, the number of issues resulting from the contractors more than doubled to 53%. Notably, the number of issues involving credential theft has likewise increased significantly. A critical cause of the incidents is negligent acts done by the insider. As these are unintentional, there is a training opportunity for the users for them to understand the importance of them paying attention to what they are clicking.

Suntrust insider threat issues

The insider threats have to be accounted for in some form or manner. Although the business would hope this would be an issue, at times still is. In particular, the business owner or senior management should be aware of potential issues. Notable that the insider threat has the potential to be devastating, especially when the insider is acting maliciously.

A recent and unfortunate incident involved SunTrust. One of their former employees in February 2018 to steal an estimated 1.5M client’s data. The prior employee’s intent was to sell this to a third party for criminal uses.

Any data stolen is not a good thing for the institution and the clients. In this case, it could have been much worse. The data stolen was the client’s name, their address, phone number, and account balances. Fortunately, the PII (e.g. social security number, account number, PIN, User ID, password, or driver’s license number).

Although the prior employee did work to copy the data but was not able to remove the data from the bank.

In other insider malicious attacks, these have been worse. The more data that is stolen and exfiltrated, the greater level of potential liability. To alleviate a majority of this potential issue, the businesses should put in place a robust program or set of programs to monitor the user’s behavior. This would act to safeguard the data and report issues in a timely manner.

Resources

E-Hacking News. (2018, April 23). SunTrust bank’s former employee stole details of 1.5 million. Retrieved from http://www.ehackingnews.com/2018/04/suntrust-banks-former-employee-stole.html

Zorz, Z. (2018, April 23). Former SunTrust employee stole data on 1.5 million clients. Retrieved from https://www.helpnetsecurity.com/2018/04/23/suntrust-stolen-data/

Medical records as phishing targets

Over the last few years, there have been many breaches involving hospitals, doctor’s offices, and other institutions securing medical records. These records are generally held in an electronic format, such as with electronic medical records (EMR) and electronic health records (EHR). These definitely have a value on the dark web. These clearly are not simply laying about for anyone to exfiltrate, but are secured at various levels and applications of information and cybersecurity. To not apply security would be negligent and in violation of several laws, including HIPAA. With these records secured, the attackers need to find alternative methods to compromise the systems.

One such incident occurred in 1Q2018. Unity Point Health was compromised between February 1st - 7th and the attackers, as an extension of the compromise, were able to access approximately 16K patient medical records. This was accomplished through a phishing attack being used as the attack vector.

The attackers were able to exfiltrate the patient’s names, date of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, dates of service, and insurance information. The attackers may have also had access to social security numbers and other patients financial information.

This provides a training opportunity for the medical field on what can happen with a compromise from a simple, yet effective, phishing email.

As always, please contact us for a consult as needed.

Thank you!