#meltdown  

If you own a computer, you should be having a 'meltdown.' Recently disclosed are critical flaws 'Meltdown' and 'Spectre' that affect most computers worldwide via CPUs from Intel, AMD, and ARM, allowing hackers to access sensitive data. Researchers from Google's Project Zero Team, Cyberus Technology, Graz University of Technology, the University of Pennsylvania and the University of Maryland, Rambus, and the University of Adelaide and Data61 discovered that a "method used by most modern processors for performance optimization could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails." These flaws, 'Meltdown' (CVE-2017-5754) and 'Spectre' (CVE-2017-5753 and CVE-2017-5715) can be executed on desktop machines, laptops, mobile devices, and in cloud environments. What's more, almost every modern processor since 1995 is vulnerable to the issues. Comforting. Both take advantage of a feature in chips known as 'speculative execution,' a technique used by most modern CPUs for performance optimization. "In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions," Project Zero says.Specifically, 'Meltdown,'  a related microarchitectural attack, allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. It works by breaking the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel. Researchers warn, "If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information." As for 'Spectre,' this flaw forces an application to share its secrets and can be used to violate browser sandboxing by mounting them via portable JavaScript code. It is a more difficult attack to pull off, and, according to the researchers, "application safety checks of said best practices actually increase the attack surface and may make applications more susceptible to 'Spectre.'"Microsoft, Apple, Linux, and Google have security patches available for one or both of these attacks. Check with the vendors for specifics on those patches, as they vary.

We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers. -Microsoft statement

Learn various techniques to keep your OS generally secure. Read 'Securing Your Unix Operating System.'

#passwords 

Have targeted advertisements been giving you the creeps lately? Even though you may have been covering your online activity, it appears an 11-year-old bug in browsers' built-in password managers is secretly stealing your email address for targeted advertising.  Back up, what? Yes, even the cautious among us should beware. According to Princeton’s Center for Information Technology Policy, this bug allows advertisers to track web users and can’t be stopped by private browsing, clearing cookies, or even changing devices. It works through the exploitation of login managers that autofill login details such as email addresses and passwords when they visit a familiar website. It appears on some sites that have embedded either one of two tracking scripts, 'AdThink' and 'OnAudience,' "the user is fed a second invisible login screen on a subsequent page that is autofilled by most browser password managers without the user realizing this is happening." From the invisible script, advertisers capture a hashed version of the user’s email address, which is sent to one or more remote servers run by the advertising companies. This is especially concerning as it could mean malicious actors could steal your saved usernames and passwords from browsers without requiring your interaction.For those who say, "it's just a hash," this is just one method that can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. Researchers also believe that tracking users via an email address identifier might allow advertisers to join different browsing histories together even after cookies have been cleared. Luckily, there are some limitations to this bug. First, it is not very common. The two scripts have only been found on 1,110 of the Alexa top one million websites. Second, LastPass, 1Password, or Dashlane don’t autofill invisible forms, so users of those tools are safe. Likewise, this bug only affects visitors to the sites who filled out their information, not simply those who visited. That being said, individuals should be especially cautious of ad tracking and use the Zero Trust Model when interacting with sites online.

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user's email address will almost never change, clearing cookies, using private browsing mode, or switching devices won't prevent tracking. -Pricnceton researchers

Want a step-by-step tutorial for decoding a hash? Read 'Pass the Hash.'

#vulnerabilities 

'Trackmageddon' may sound like an episode from Black Mirror, but unfortunately, these vulnerabilities are real. They could enable attackers to expose sensitive data on millions of online location tracking devices managed by vulnerable GPS services.In a recent report, two security researchers, Vangelis Stykas and Michael Gruhn, have unearthed multiple vulnerabilities in hundreds of GPS services, affecting children trackers, car trackers, and pet trackers. Of the vulnerabilities found are easy-to-guess passwords (such as 123456), exposed folders, insecure API endpoints, and insecure direct object reference (IDOR) issues. This is especially worrisome because "an unauthorized third party or hacker can get access to personally identifiable information collected by all location tracking devices, including GPS coordinates, phone numbers, device model and type information, IMEI numbers, and custom assigned names." Perhaps worst of all, in some cases, unauthorized third parties can also access photos and audio recordings uploaded by these devices.From what researchers have seen, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software and seller of licenses to the software. It appears since the initial disclosure, they have patched some of the vulnerabilities, but about 79 domains are still vulnerable. In order to protect yourself from falling victim to 'Trackmageddon,' the researchers recommend removing as much data from the affected devices as possible, changing the password for the tracking services and keeping a strong one, or just stopping to use the affected devices until the issues are fixed.

We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed. -security researchers

In September 2017, more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online. Get the details of this similar story in a previous version of 'UNM4SK3D.'

#factbyte

McAfee's survey, 'New Security Priorities in An Increasingly Connected World,' said that with the increased volume of attacks and breaches, 61% of consumers surveyed claimed that they are more worried about cybersecurity today than they were five years ago. However, McAfee said that only 37% of consumers have signed up for an identity theft protection solution. Additionally, 28% of consumers claim that they have no plans to sign up for a service that monitors and helps protect their identity and personal information.Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.