Your Processor Remains Exploitable

Intel recently released yet another microcode update to fix yet another speculative execution flaw in its processors. Ars Technica has a good writeup on the flaw if you’re interested in specifics.

However, I’m not concerned with this particular flaw. What I am concerned about is how it was fixed: via a microcode patch.

The common perception is that if you update your processor’s microcode, your processor is “fixed.” Well, it isn’t. As I explained in my posting Negative Rings in Intel Architecture: The Security Threats That You’ve Probably Never Heard Of, microcode updates are transient. That is, every time you…


Have an Intel Processor? Then you’re a user!

MINIX: It’s the world’s most widely used operating system and another security threat that you’ve never heard of! Like all operating systems, it has bugs. Only you can’t patch the bugs in MINIX!

Introductory Note

If you are not familiar with the Intel Management Engine, I would recommend you first read the article, Negative Rings in Intel Architecture: The Security Threats You’ve Probably Never Heard Of.

Intel’s MINIX: So Many Questions. So Few Answers.

First, a few relevant facts.

If you have an Intel chipset in your computer, then you are running MINIX.


Not Actual Protection Rings, But Conceptual Privilege Levels Susceptible To Exploitation

Most likely, you’re aware of the hardware “protection rings” in Intel Architecture processors — the familiar “Ring 0” for the kernel through “Ring 3” for userland. But, have you ever heard of “rings” “minus one” through “minus three”? If not, you’re missing out on three entire levels of processor vulnerabilities.

Ring 0 Through Ring 3

In Intel Architecture (IA) processors, there are four protection rings, which are implemented in hardware using two bits in the Segment Descriptor Table, called the Descriptor Privilege Level (DPL) bits. The hardware logic behind the rings allows processes running at a given privilege level to access memory at that privilege…


A New Tool Detects If Your ISP Has Implemented Route Hijacking Mitigations

The Internet runs on a protocol called BGP, which determines how your data is routed from your ISP to its destination, such as Apple or Netflix. However, BGP, in its default configuration, is insecure and subject to hijacking attacks. There are mitigations for such attacks, but your ISP must explicitly implement them. A new tool from Cloudflare lets you check your ISP, and name and shame them if they haven’t implemented appropriate fixes.

Introduction

The BGP protocol is a decades-old routing protocol. It was never designed with security in mind. By default, its routes are unsigned, meaning that anyone can inject…


If You Can’t Properly Define Cybersecurity, How Can You Know What It Is?

It’s clear that the cybersecurity industry hasn’t been able to agree upon what cybersecurity is and isn’t. Even NIST, who is responsible for the definition of technical terms used by the U.S. Federal Government, has four different definitions of cybersecurity! At a minimum, there are dozens of different definitions of cybersecurity currently in use. Nearly all are incomplete in scope, some are horridly wrong, and nearly all fail to differentiate between cybersecurity and its information security cousin.

Background

If you look up the definition of “cybersecurity,” most of the answers you get are laughable. Most appear to be written by some…


Proper Requirements Are The First Step To Verifiable Security

All too often, organizations lack any appropriate definition of their security requirements. And, the alleged requirements documents that do exist are most likely design specifications, not requirements specifications. Serious security breaches are unavoidable without a proper understanding of what is to be secured and why. That is, serious security breaches are unavoidable without proper security requirements.

Context

When I go into an organization on a consulting job, among the first questions I ask is, “What are your security requirements?” Usually, the answer is, “Formal requirements? We don’t have any.”

That answer would not be surprising for the average small- to medium-sized…


A Guide To Learning How Well A Candidate Understands Security

The first question I ask someone in an interview for a cybersecurity position is, “What type of cellphone do you use?” The candidate’s answer can provide a deep insight into their security mindset regarding the importance of patching in managing security vulnerabilities. Additionally, it tells me a lot about their attitude regarding the importance of privacy.

As a consultant, I have seen many interview styles. The one thing I have learned is that it is rare for an interviewer to ask questions which probe my understanding of security. Interviews tend to come in three flavors: How have you solved a…


RFC1122 Specifies Only Four Layers in The Internet Protocol Stack

It is a common misperception that the Internet is based upon the ISO 7-Layer Model. It is not. It is based upon a software protocol stack defined in RFC1122 that has several differences from the ISO specification.

Only Four Layers!

The second question I always ask someone I’m interviewing for a network security position is, “How many layers are in the Internet Protocol stack?” Invariably the answer given is “seven.” That’s wrong! The correct answer is four. (Arguably, five could be considered a semi-correct answer, but we will get to that in a minute.) Don’t believe me? …


Blog Introduction and Index

Recent Updates

  • 2020/04/27: Added a list of recommended Security RSS blogs and newsfeeds.
  • 2020/04/28: Added a list of recommended Security mailing lists.

Welcome to the Real World Cyber Security Blog!

Einstein allegedly defined insanity as “doing the same thing over and over again and expecting different results.” Well, in information security and cybersecurity, we’ve sure been doing a lot of “the same old thing” over and over again, but we continue to get hacked. I guess we’re insane then, because we expect that what we’re doing will keep us from getting breached, but it doesn’t. Yet, we keep doing more and more of it and expecting different results. Insanity?


Why Biometrics Are Not Valid Authenticators

Most security courses teach there are three ways to authenticate: “What you know,” “What you have,” and “What you are.” However, authenticators must be revocable and deterministic. Biometrics (“What you are”) are probabilistic and non-revocable. Thus, biometrics cannot serve as a means of authentication.

Authentication Basics

Historically, the standard security mantra has always been that there are three ways to authenticate:

  • What you know (e.g., passphrase)
  • What you have (e.g., security tokens)
  • What you are (i.e., biometrics)

At one time, when all authentication was person-to-person, this was probably a more-or-less correct definition of how a person could be authenticated. However, in today’s…

RealWorldCyberSecurity

A blog discussing what we are doing wrong in security and how we need to fix it.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store