Security Weekly 58: The Greatest Hits
Remember this post, in 10 years everyone will say: here, everything is correct in the digest. Or vice versa: they did not guess at all, in one place.Predicting the future is an occupation that is doomed to failure since prediction is always based on knowledge of the present and the past.
The upcoming 2019 year is described in Philip Dick’s Blade Runner, who still knew how to foresee. According to the novel (and a little – the film), we all live in a dysfunctional world, where it constantly rains, there are flying cars and robots, but there are no animals at all.
That is why the predictions of the experts of Kaspersky Lab are very practical, they are more likely designed for security guards who need to identify trends for the next year. But nevertheless let’s try to choose the events of 2018, which can become the basis of something more in information security that has been relevant for a long time. The preparation used materials from this blog for the entire year, so that before you a unique format: digest digests.
Specter and Meltdown
Vulnerabilities found only in Intel (Meltdown) processors, and those found in almost all modern processors (Specter), are the main news of the year. Let’s take a quick look at Meltdown: this is a private vulnerability that you can close and forget (until you find another one the same). Specter just won’t be able to close it: a theoretical attack on a vulnerable system implies both certain behavior of iron and certain characteristics of the code of the attached application. There are many options for Specter-like attacks, as several studies have shown this year. For example, a Specter modification with the possibility of rewriting read-only memory cells or NetSpectre is an attack that can be carried out remotely, over a network, and even without executing code on the system under attack.
All Specter-like attacks fall into the category of attacks via third-party channels: when some secret information is not transmitted in the open but is extracted based on the analysis of response time or (in the case of traditional side channel attacks) fluctuations of the current consumed by the device. In general, this is such an analog of a spy device for “eavesdropping” glass vibrations in a room where a conversation is being conducted.
- It is too early to talk about some practical application of these attacks. For example, in the case of NetSpectre, under ideal conditions, it was possible to achieve “theft” of secret data at a speed of four bits per minute. And no one is even discussing whether these are the data that is needed – in the sense of whether there is any really important information among them. Studies around Specter can “shoot” in 10 years, and they can remain a niche topic of protecting devices, where you need to protect everything and everything from everything, to avoid.
Is there a similar story in which a purely scientific study has acquired practical outlines in order to estimate the dates? You can look at the SHA-1 cryptographic hash function. It was developed by the US National Security Agency in 1995. Ten years later, in 2005, for the first time, researchers showed that the computational power required to search for collisions (two data sets generating the same hash) is less than theoretically predicted (but still very much). In 2012, the score was 2 in the eleventh degree of server-years by 2015. But in 2015, the servers were better than expected, the new calculations showed a ridiculous figure for some state intelligence services in 49 days. This was enough to recognize the hashing algorithm as unreliable: in 2017, manufacturers of all major browsers stopped using it for generating SSL certificates. In the same year, researchers from Google and the CWI Institute showed a practical attack: they created two different PDFs that give the same hash using SHA-1.
Total, 22 years of technology existence, 12 years of scientific research and, notice, no benefit to cybercrime: even the experiment with two PDF both remained a purely scientific exercise and remained. Specter can become really dangerous if processor manufacturers continue to ignore it, and they sometimes try: new research on the topic is sometimes accompanied by comments from vendors that this is, they say, standard behavior, a feature, not a bug.
The study on the restoration of the image on the monitor according to the nature of the noise emitted by the power supply of this monitor itself also looks doubtful from the point of view of its actual use. Nevertheless, the researchers, albeit with great reservations, managed to restore the image on the display screen, recording and analyzing only the squeak of the power system, using convolutional neural networks and training them in comparing the parasitic noise and image. In a sense, this is also an attack on third-party channels: data capture through a place in which no one expected failure.
And this, in Blade Runner (this time in the film), is just well predicted – at the appropriate time of shooting the eight-bit condo style:
There, voice control, intelligent image processing (more about this episode – here), in general, Hollywood in all its glory. Although the real research is far from such technical heights, it quite fits into the canon of incredible, fantastic achievements of the national economy. It’s only the beginning. And what will happen? Let’s fantasize: authentic identification of users on the web by the way they move the mouse, scroll the screen of the smartphone and hold the phone in their hand. Determination of mood by voice. The threat of privacy due to massively collected and processed data, helping to build a profile with such features of a person, which he does not know. Universal identification by face on the streets of the city. Oh wait, this is not the future, this is the present!
Well, all these technologies will not necessarily go to the detriment of humanity – on the contrary, they can help. Machine learning makes it possible to extract meaning where previously only white noise has been seen. This gives both new opportunities and brings new risks, at least in terms of storing the collected data. As a maximum, technologies like scientific research about monitors will make it extremely difficult to keep something secret. Although you buy direct typewriters, there surely you can restore all the text entirely by the sound of keystrokes.
IoT and equated to them
One of the most popular digests of this year was devoted to vulnerabilities in routers Mikrotik, D-Link and TP-Link. Equating routers to the Internet of things is a controversial thought; we’ll formulate carefully: serious risks in the future will be represented by devices operating autonomously, communicating mainly with their own kind and making it so that few people know what is happening there. Routers are such an indicative victim, since for the last couple of years they have been attacked en masse, have all the signs of autonomous devices, and their compromise sooner or later becomes noticeable.
- The obvious victims of the insecure IoT of the future are smart speakers and other devices that monitor the owner around the clock. The news about them is still reminiscent of jokes: either the smart speaker in the middle of the night starts to giggle, then the resident of Germany, upon request as part of the GDPR, receives from Amazon voice recordings of a completely different person. Anything that is connected to your home network and has its own relationship with external servers is potentially vulnerable. While the discussion around smart devices revolves only around privacy, but it is possible that soon we will talk about isolating IoT from everything else: why does your electricity meter have access to your file ball?
In ideas about the future, we often tend to go to extremes: there will be either a beautiful utopia or cyberpunk darkness. Dear editors suggest that everything will be quite good, even without flying cars. But even if so, the era of “personal computer” as a useful, but an optional device such as a calculator, is coming to an end. It starts the time in which people are fully embedded in the network, interacts with it every minute and depends on it. It means that you should not take lightly even the theoretical threats to the efficiency of this world. This world is different, but in general, it is good enough to try not to break it. Will it work out? We will continue to monitor.