Infosec roundup #5

2017 was a busy year , and one week into 2018 we have already seen some stunning new attack vectors take shape. I hope you all had a good break, because it’s already shaping up to be a busy year for defending your digital turf.

So without further ado, lets get into 2018 and pull apart the first week.

CVE(s) of the Week

Clearly, Meltdown and Spectre vulnerabilities (CVE-2017–5754 & CVE-2017–5715 respectively) captured the lion share of attention in the information security world this week.

There is so much comment and hyperbole available via the usual channels that I feel no need to harp on about it here.

I will say though, that I’ve been impressed at the cooperation of public organizations, individuals, and private enterprises to work around this issue.

With such a big, juicy, technically alluring set of bugs to play with this week though, it is easy to miss the forest for the trees.

So, here are my picks of the 199 other disclosures you might have missed over the holidays…

Your card data is important

POS terminals were found to be breached in the Forever 21 case

Thankfully, it has been a relatively small week for breaches, however some interesting revelations were aired late 2017 with Forever 21 confirming that they had found some of their POS terminals with malware, allowing attackers to ‘switch off’ encryption (probably turning off drive encryption) and walk away with credit card track data.

Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log.

It is common to have centralised transaction authorisation logs in stores with many POS terminals. Having such logs are an important part of traceability in dispute scenarios, and for forensic teams in fraud or theft cases such as this.

However, the PCI Data Security Standard is very strict about encrypting or obfuscating PAN data at rest, as well as operational auditing. So this is not a great scenario to have played out. I really feel for all involved here.

A nice rundown of PCI basics can be read here

Hardware hackery

With KPTI, KAISER, KASLR, Kernel rewrites and the causative Intel, AMD and ARM chip issues out there — I was saved from repeating myself in this section, with this tweet from LiveOverflow today:

Sidechannels for FPGAs ya say? Hmmm

For the uninitiated, an FPGA is a type of integrated circuit that allows ‘field reprogramming’. They are chips, that are capable of becoming any circuit, restricted only by how many logic blocks are available on chip to satisfy the circuit design. Clearly its useful, but for what?

One of the areas in which chips that can be told to redesign themselves are very useful is in accelerating activities like machine learning, or high frequency financial trading systems.

The researchers pick apart side channel information yielded by the Spartan 6 FPGA to ultimately show that it is possible to quietly integrate Trojans into them. I’ll leave it to your imagination what that ultimately means in shared computing environments.

This opens a new door to integrate hardware Trojans in applications where the FPGA is remotely accessible and FPGA-based multi-user platforms where the reconfigurable resources are shared among different users

The research paper is not for the feint of heart, but if you’re into the physics of microelectronic engineering — you might like a read.

I’ll leave it there for this week, thanks for reading! I sincerely hope your 2018 is filled with fun and enjoyment.

Before I go, I’ll leave you with my favourite quote from the linux kernel mailing list this week

“And yes, paravirtualization is evil.” — Linus Torvalds