New Year, New Fears: Meltdown and Spectre

Happy New Year!

By now you’ve heard about Meltdown and Spectre, the two new CPU vulnerabilities that are getting 24/7 airtime on every news channel.

This is going to really hurt Intel, as it essentially means that a 2 GHz processor is going to effectively run at 1.4 GHz after it’s patched. A 4 GHz processor is going to effectively run at 2.8 GHz. That’s the kind of performance hit that hard-core gamers and industry professionals are waking up to today, and will encourage many to consider alternative CPUs in the future. Unfortunately, while the one issue (Meltdown) only applies to Intel CPUs the other one (Spectre) affects almost every CPU that has been tested.

Meltdown and Spectre are two separate design flaws in the CPUs that mismanage how access to memory handles are controlled. Older hardware and operating systems will never be patched to address these vulnerabilities, and the patches that are currently being pushed for the Intel (Meltdown) flaw have a very high failure rate (as much as 20% for some hardware) often resulting in unbootable devices. My advice is to wait a few days for other people to be the guinea pigs, then install the updates after you get the all clear.

Neither of these affects only Windows. The vulnerabilities are hardware-based, but the current workarounds for them are being pushed into the operating systems to prevent them from being abused.

Meltdown affects every Intel CPU available today, which means that while many Windows computers are affected, every supported Mac is impacted (they’re all using Intel CPUs), and phones and other devices that use Intel chips are vulnerable as well.

Spectre affects just about everything. If your vendor isn’t supporting the device anymore, it will never be patched and the device can never be secured. Every computer hosting every website is affected. Every server. Every phone, tablet, desktop and laptop in the world is affected by at least one of these vulnerabilities. It seems that the only devices immune are certain security devices (dongles) or devices with very limited capabilities. If it can run software, it’s vulnerable.

If you’re a stock market enthusiast this is a good time to invest in mobile hardware vendors – wait a week or so for people to start bailing out in fear and the price to drop. Then buy their ignorance and in a year you’ll be thanking me. There may not be an immediate return, but as chips are released in the next 8-18 months that resolve these problems, security-minded companies and governments will be buying in bulk to replace every single device they currently employ. Talk about a huge surge in purchases later this year. 🙂

I don’t put a lot of stock in what anyone from the government says, so I will defer to the Intel VP who says that the “unfixable” Spectre flaw can be resolved with a firmware update on most supported devices. I assume the same is true for other vendor chips affected by Spectre. Unfortunately, this means it’s still going to be a long-tail fix, since firmware updates can take months to be released for each supported chip and years to be fully addressed, and unsupported hardware will never be fixed. The Intel SA-00086 vulnerability (initially reported in February 2017), for example, which impacts the last 4 full generations of Intel CPUs still has not received patches for most currently supported hardware. Likewise, it’s quite unlikely that Spectre will be fully addressed on existing supported hardware within the next couple years.

Replacing your device isn’t a solution, either, since hardware that isn’t vulnerable simply doesn’t exist yet. We need to hope that operating system vendors will correctly and fully address these problems on current hardware in the very near future.

Now for the good news

If you’re maintaining your devices – installing operating system, application and driver updates, and you’re removing outdated and unused software, and you’re not installing untrusted third party applications that are either unmaintainable or unsecureable, and you have not been installing “bad” programs (warez, fake, or malicious) – then your computer is really at no greater risk today than it was last week. Both of these vulnerabilities require an evil application to be run on your device to be exploited. They are not remote exploits that automatically bypass the other security precautions you may have in place (unlike SA-00086). Remove everything you don’t want or need on your device, don’t install untrusted apps, don’t ever click “yes” in a popup without reading it and understanding the implications, and you’ll probably be OK. Really.

For anyone else that’s not already using my service: If you don’t want to do this all by yourself – let me.

KRACK Attacks: Protocol Insecurity

The KRACK Attacks are a great example of why updates are important. Wireless networking has been around over 45 years with many encryption and security layers being adapted over that time. The variation most commonly in use today, Wi-Fi with WPA2, is about 13 years old. Thousands of people have reviewed the protocol documents. Vendors across the world have implemented the protocol as it was designed and it is in active daily use on billions of devices (yes, billions with a “b”). However, a relatively minor flaw in the design of the greeting/handshake allows an evil third party to essentially hijack any Wi-Fi network.

At least 6 months ago a series of vulnerabilities in all wireless protocols (including the most secure current wireless protocol, WPA2) were discovered that allowed for an evil third-party in range of your Wi-Fi network connection to emulate it and hijack your access to the connection to be able to siphon or change information between you and the Internet. These vulnerabilities also make it possible to intercept and alter “secure” traffic (such as HTTPS encrypted connections) by way of it’s MitM scope on some networks and devices.

Every vendor’s hardware that was tested was found to be vulnerable. The thing is, if they obeyed the protocol it would literally be impossible not to be vulnerable.

Several months ago the person that discovered the issue contacted different vendors to alert them of the problems and they are actively coordinating security updates this week to address them. FreeBSD patched it months ago. Microsoft patched it last Tuesday. Some Android devices have been patched over the last couple weeks, while others may never be. Security updates for ChromeOS should be released next Tuesday. Apple’s patch for iOS, macOS, tvOS and watchOS is planned for release “soon,” but every version of macOS and iOS are affected and not all are still supported (in other words – only some Apple devices will receive patches). Hardware vendors are gradually releasing updates for supported devices.

What should you do?

Patch or replace your hardware. All of your hardware: your routers, modems, phones, tablets, laptops, desktops that have Wi-Fi support, even your light bulbs and irrigation systems.

If a patch is not currently available for your hardware, hound the vendor until it is, or replace/avoid that hardware (and vendor).

If your hardware is no longer supported by the vendor you will not receive security updates to address this vulnerability. Most hardware still in use today is beyond it’s support period (aka “end of life/EOL”), so will never receive a security update to address this vulnerability or any other. Really. It’s probably time to replace that “perfectly good” wireless router you picked up “only 5 years ago” at a “helluva bargain” that “still works.” It’s annoying, but important to check the vendors site when purchasing hardware to ensure that it’s supported by them. Most vendors support their hardware only 5 to 10 years after a modem was initially released. Most people buy hardware at least half-way through this period, significantly reducing the applicable support period.

Always use TLS/SSL. If the sites you visit don’t support HTTPS, don’t use them or at least contact their webmasters to request HTTPS support.

Avoid wireless connections. Yes, really. Even if this had never occurred, understand that every wireless network is inherently insecure. Emulating your network the way the KRACK Attack operates is only one way to hijack it. There are many other risks in all forms of networking, from old, insecure, and unsupported network equipment that can be easily compromised to unmaintained and unsecureable hardware that joins the network. While a wired network generally contains all traffic within the cables that make up the network, a wireless network, by definition, broadcasts all network traffic for any evildoer within range to capture and record. While they may not be able to exploit that encrypted information today, it’s likely that similar vulnerabilities will be discovered that allow them to decrypt and abuse that information sometime in the future. Avoiding wireless connections reduces this risk.

I thought this only affected my router?

No. This vulnerability is a protocol-level issue, which means that every single wireless device in the world that was designed to obey the protocol is impacted. All of them. Patch or replace.

Many protocols have weaknesses that are eventually addressed with minor and sometimes major changes. SMTP – the protocol used to send email – didn’t require any form of authentication at any level for over 20 years! The geeks that think this stuff up are awesome, but we can’t anticipate everything.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

 

Why you should delay iOS upgrades

Today is September 9th, 2017 and iOS 11 was released! Yay! This version has several new features that Apple fanboys are going gaga over. It’s exciting, it’s new, and in about a month you should install it on your device. For years I have advocated that major iOS upgrades should be delayed at least 3 weeks. Why? Math.

This simple timeline demonstrates Apple’s history with patches for iOS upgrades:

1.0.1 was released 32 days after 1.0.0. It was a security update.
1.1.1 was released 13 days after 1.1.0. It was a major stability update.
2.0.1 was released 14 days after 2.0.0. It was a major stability update.
2.1.1 was released 3 days after 2.1.0. It was a security update.
3.0.1 was released 44 days after 3.0.0. It was a security update.
3.1.1 was released the same day as 3.1.0. It was a security update.
3.1.2 was released 29 days after 3.1.1. It was a major stability update.
4.0.1 was released 24 days after 4.0.0. It was a major stability update.
4.3.1 was released 16 days after 4.3.0. It was a security update.
5.0.1 was released 29 days after 5.0.0. It was a security update.
5.1.1 was released 61 days after 5.1.0. It was a security update.
6.0.1 was released 61 days after 6.0.0. It was a security update.
6.1.1 was released 9 days after 6.1.0. It was a major stability update.
7.0.1 was released 1 day after 7.0.0. It was a security update.
7.0.2 was released 7 days after 7.0.1. It was a security update.
7.1.1 was released 43 days after 7.1.0. It was a major stability update.
8.0.1 was released 7 days after 8.0.0. It was a security update – and was so bad they pulled it.
8.0.2 was released 1 day after 8.0.1. It was a major stability update.
8.1.1 was released 28 days after 8.1.0. It was a security update.
8.4.1 was released 44 days after 8.4.0. It was a security update.
9.0.2 was released 14 days after 9.0.0. It was a security update.
9.2.1 was released 133 days after 9.2.0. It was a security update.
9.3.1 was released 10 days after 9.3.0. It was a major stability update.
10.0.2 was released 10 days after 10.0.0. It was a stability update.
10.1.1 was released 7 days after 10.1.0. It was a security update.
10.2.1 was released 42 days after 10.2.0. It was a security update.
10.3.1 was released 7 days after 10.3.0. It was a security update.

11.0.0 was released today. How long do you think it will be before they release their mandatory security update?

With history as our guide, we can safely assume it’s going to be roughly 26 days before they release whatever security update is required of the first major release of iOS 11.

Looking at the numbers we can also see that fixes for major updates are released on average 21 days after the initial major version (n.0.x), where minor version fixes average closer to 30 days after the release of the minor version (n.n.x). If we remove the outlier (9.2.1) because it’s over 4 months and double any other period, the averages become 20 days for serious patches to major updates and 22 days for serious patches to minor updates. Again: 21 days – three weeks – becomes the minimum average for your safety.

That means you should expect a security update for iOS 11 around October 10th, 2017. Be patient. The privacy you save will be your own.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Another Reason Why You Need a Password Manager

This Wordfence article is a great demonstration of why using a password manager is so important.

The message the author is pushing is “these browsers suffer because it’s easy to phish them” when the reality is that the specific “vulnerability” is actually the way the Internet is designed. The weakest link for all phishing is always PEBCAK – aka, “Problem Exists Between Chair and Keyboard”. Phishing is not your typical security problem, because it’s not the computer the attacker needs to convince, it’s the person.

Don’t get me wrong, I’m not saying that there should not be some visual and functional indication for IDN domains, but the user is still going to be the weakest link. Any indicator would go unnoticed or misunderstood by most people anyway.

A better solution is to use a password manager such as RoboForm. RoboForm bypasses this issue by preventing you from authentication to the forged domains. RoboForm (and most other password managers) authenticate only to trusted domains, so even though the IDN domain may visually appear to be the same, it will not be treated as the real domain within the password manager.

See how RoboForm addresses this problem. In the first image you can see the emboldened stored credentials which will only appear if the domain is a match for the stored login.

Demonstration of RoboForm Domain Match

RoboForm Domain Match

Here we have the punycode IDN variation, which, since it is actually a different domain, has no match in RoboForm.

Demonstration of RoboForm Domain Mismatch

RoboForm Domain Mismatch

While the specific issue at hand is phishing for ways to trick the user into authenticating to a domain that appears to be the real thing using a specific cosmetic effect, there are many other ways that domains can be made to look like the real thing, and each of them still works well after this particular issue is addressed.

Using a password manager is the best and easiest way to ensure that you’re visiting the real site. It also provides strong authentication and far better passwords than you can create on your own.

Okay, now go get RoboForm.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Creating a Facebook App ID

facebook-icon

Some plugins and content management systems require a Facebook App ID to be created in order to provide various functionality. This simple guide helps you understand the process of adding a new app with the funky website/app domains functionality that Facebook make more difficult than it probably should be.

  • The first step is to login to Facebook and visit this page.
  • Click Add a New App

fb-app-setup-1

  • Enter the app Display Name, Contact Email and Category. Click Create App ID

fb-app-setup-2

  • Click Settings, Basic

fb-app-setup-3

  • Click Add Platform

fb-app-setup-4

  • Click Website

fb-app-setup-5

  • Enter your Site URL

fb-app-setup-6

  • Click Save Changes

fb-app-setup-7

  • Enter your website domain(s) in App Domains

fb-app-setup-8

  • Click Save Changes

fb-app-setup-9

You’re done.

At this point the plugin or content management system you’re using will need the App ID and App Secret (which you can get by clicking “Show”)