Weekly podcast: Twitter, Spectre-NG, NIS Directive and patches

This week, we discuss Twitter’s password reset, new Spectre CPU flaws, the implementation of the EU’s NIS Directive, and patch Tuesday’s highlights

Hello and welcome to the IT Governance podcast for Friday, 11 May 2018.

Two weeks till the GDPR comes into effect… I hope you’re enjoying all the privacy notices you’ve been receiving over the last few weeks. I know I have.

Here are this week’s stories.

It was World Password Day on 3 May. Twitter celebrated the occasion by suggesting all 330 million of its users change their login details after it discovered that a bug had caused it to store some of them in an internal log in plaintext, rather than hashed with bcrypt as normal.

Parag Agrawal, Twitter’s chief technology officer, blogged that Twitter had found the error itself, removed the passwords, and was implementing plans to prevent the situation occurring again. Moreover, he insisted, there was “no indication of breach or misuse by anyone”.

Although Twitter’s abundantly cautious actions are laudable and it’s always good to see a company being transparent about security issues, I do wonder about the effectiveness of asking its 330 million account-holders to change their passwords, when research suggests that relatively few would actually heed that advice.

For instance, according to a new report from the password management company LastPass risky password behaviours prevail: although 91% of respondents knew that using the same password for multiple accounts is a security risk, 59% mostly or always use the same password, and, incredibly, only 55% would change the password on a hacked account.

Twitter provided some helpful advice on password security – unlike some companies that tried to join in with World Password Day – which bears repeating:

  1. Change your password on Twitter and on any other service where you may have used the same password.
  2. Use a strong password that you don’t reuse on other websites.
  3. Enable […] two factor authentication. This is the single best action you can take to increase your account security.
  4. Use a password manager to make sure you’re using strong, unique passwords everywhere.

The German c’t Magazin exclusively reported last week that multiple security researchers had found another eight Spectre-like vulnerabilities in Intel and some ARM CPUs, which it has named Spectre Next Generation or Spectre-NG. Four of the vulnerabilities are rated a high risk and the others of medium severity. Cloud service providers and their customers are particularly affected.

The newly discovered flaws are unlikely to be patched for at least another couple of weeks, however. Jürgen Schmidt reported this week that the first patch – to address a flaw discovered by Google’s Project Zero – was due to be released on 7 May, in line with Google’s 90-day disclosure deadline, but this has now been postponed, with Intel now planning a coordinated release on 21 May, which might be delayed still further – until 10 July.

According to Schmidt, the number of systems that need these patches is enormous: all  Core i processors and their Xeon derivatives released since 2010, and Atom-based Pentium, Celeron and Atom processors released since 2013 are affected.

Talking of risks to Cloud service providers, the EU’s Directive on security of network and information systems, or NIS Directive, came into effect this week. In the UK, the Directive was enacted as the Network and Information Systems Regulations 2018 (named specifically to confuse people who can’t get their heads around the difference between EU regulations and directives, it seems).

The NIS Regulations are applicable to operators of essential services in the energy, transport, health and water sectors, and to digital service providers. Non-compliant organisations face fines of up to £17 million. For more information, and guidance on compliance, visit https://www.itgovernance.co.uk/nis-directive.

Finally, it was Patch Tuesday this week. Microsoft released updates addressing 67 vulnerabilities, including two zero-days that have been exploited in the wild, and two bugs whose details have already been made public, but do not appear to have been exploited.

The first zero-day (CVE-2018-8174) is a remote code execution vulnerability in the VBScript engine, the second (CVE-2018-8120) an elevation of privilege vulnerability affecting the Win32k component.

The two publicly disclosed vulnerabilities are CVE-2018-8170, an elevation of privilege vulnerability in the way the Windows kernel handles objects in memory, and CVE 2018-8148, a remote code execution vulnerability affecting Excel.

Test and apply.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.