Weekly podcast: Intel Foreshadow attack, Cosmos cash-out scheme, TLS 1.3 and Patch Tuesday

This week, we discuss a new flaw affecting Intel processors, a $13.5 million cyber attack on an Indian bank, the release of version 1.3 of the Transport Layer Security protocol and the highlights from this month’s Microsoft patches.

Hello and welcome to the IT Governance podcast for Friday, 17 August. Here are this week’s stories.

Researchers from the universities of Leuven, Michigan and Adelaide have identified a new vulnerability affecting Intel processors, which could allow attackers “to steal sensitive information stored inside personal computers or third party clouds”.

The L1 Terminal Fault or ‘Foreshadow attack’ (because, as we know, every serious vulnerability has to have a nickname) is the third major flaw to affect the company’s chips this year, after Meltdown and Spectre.

There are two versions: the original attack, designed to extract data from SGX (or Software Guard Extensions) enclaves, and a next-generation variant, Foreshadow-NG, which Intel itself identified while investigating the original vulnerability.

Foreshadow-NG can be used to access “any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System’s Kernel, or Hypervisor.” It could also be used to access “information stored in other virtual machines running on the same third-party cloud” as well as to bypass “previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre”.

A full list of affected products can be found on Intel’s website, as can technical analysis of the vulnerability.

Intel has also released new microcode for many processors affected by the flaw.

Leslie Culbertson, Intel’s executive vice president and general manager of Product Assurance and Security, commented: “We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices.”

Last weekend, the security journalist Brian Krebs reported that he’d obtained a confidential alert from the FBI warning banks that cyber criminals were poised to carry out a highly organised global heist in which they would “fraudulently withdraw millions of dollars” from cash machines around the world in just a few hours.

According to Mr Krebs, the FBI warned on Friday that it had “obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’”.

Unlimited operations work by infecting banks or payment card processors with malware, usually via phishing attacks. This then gives criminals access to customers’ card information and to the banks’ networks. They can then remove fraud controls and other security measures from banking systems, and amend account balances so that unlimited funds are available – enabling them to withdraw large amounts of money from cash machines.

As if on cue, cyber criminals stole a total of Rs 94 crore (about US$13.5 million) from the Pune-based Cosmos Bank via thousands of cash-machine withdrawals on Saturday and a fraudulent SWIFT transfer on Monday.

According to India’s Economic Times, which linked the criminals to North Korea’s Lazarus Group, Cosmos’ chairman Milind Kale said that customers would not be affected.

He commented: “Our security systems have not been compromised. […] “The bank turned off its servers and all internet banking applications after noticing several erratic and abnormally high transactions. These transactions happened over two hours and 13 minutes and were spread across 28 countries where cloned cards were used to debit several amounts”.

The police are investigating.

The open standards organisation the IETF (or Internet Engineering Task Force) has now published the final version of the Transport Layer Security protocol, TLS 1.3 – which it approved in March.

It said: “Although the previous version, TLS 1.2, can be deployed securely, several high profile vulnerabilities have exploited optional parts of the protocol and outdated algorithms. TLS 1.3 removes many of these problematic options and only includes support for algorithms with no known vulnerabilities.” […]

“In contrast to TLS 1.2, TLS 1.3 provides additional privacy for data exchanges by encrypting more of the negotiation handshake to protect it from eavesdroppers.  This enhancement helps protect the identities of the participants and impede traffic analysis. TLS 1.3 also enables forward secrecy by default which means that the compromise of long term secrets used in the protocol does not allow the decryption of data communicated while those long term secrets were in use. As a result, current communications will remain secure even if future communications are compromised.”

TLS 1.3 can now be implemented across applications and browsers. Many, including Firefox and Chrome, already support it.

(You may remember that, three weeks ago, I mentioned that the latest version of Google Chrome was marking all websites that use HTTP as ‘not secure’ in a move to nudge site owners towards encrypting traffic with TLS.)

Finally, it was of course Patch Tuesday this week. Microsoft’s August updates included patches for 60 security flaws, including two zero-days that are currently being exploited in the wild: CVE-2018-8373 and CVE-2018-8414, both of which enable remote code execution and grant the same privileges as a logged-in user. Test and install…

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.

One Response

  1. Neil Ford 21st August 2018