This week’s security snacks:
- The security flaw that keeps on giving
- Thunderbolt device hacking your system? You’ve been ThunderClap’d
- [Abandon All Security Here]… Cloud Migration Ahoy
Spectre, the Security Flaw That Keeps on Giving
Microsoft rolls out yet another security fix (KB4482887) to protect against the Spectre v2 (CVE-2017-5715) vulnerability.
Since the Spectre security issue raised its head in 2017, there have been a succession of updates to help protect the OS against this speculative execution attack. This latest patch, the latest in a long line, is based on a coding technique developed by Google, called Retpoline (see Google’s official blog here for more details.)
Retpoline, announced earlier this year, offers protection against the potential for obtaining data from running processes through a break in the normal isolation between them. Microsoft had originally planned to integrate the new code into the upcoming spring release of Windows 10, however, they have made an update available as of March 1st for the Windows 10 fall 1809 release.
You can find an excellent write-up of this in the ZDNet article titled, Microsoft rolls out Google’s Retpoline Spectre mitigation to Windows 10 users.
Thunderbolt Device Hacking Your System? You’ve Been Thunderclap’d
Researchers discovered a security vulnerability that can lead to IOUMMU/ Kernel DMA Protection bypass and open access to all the good security bits within your OS.
Just as we get over the issues of Spectre and Meltdown, along comes another security-based flaw.
“ThunderClap” is a theoretical flaw that security researches have coined. It works by mitigating against protection offered for the Input/Output Memory Management Unit (IOMMU) / Kernel DMA Protection mode from Windows 1803 onwards. Microsoft explains it in this doc.
In this instance, by pretending to be a legitimate device, the protection offered by the OS is bypassed and carte blanche access is granted to secure areas of the OS. The security recommendation at present is, unfortunately, to disable the port to avoid Thunderbolt/USB-C threats. Not a good situation to be in now your new shiny docking station has arrived, however, keep an eye for upcoming security fixes.
For detailed information on this issue read The Hacker News’ article titled, New Flaws Re-Enable DMA Attacks On Wide Range of Modern Computers.
[Abandon All Security Here].. Cloud Migration Ahoy
Without proper due diligence, your journey to the cloud could be a security NO-NO, and might end up in tears.
The rise in availability of cloud-based services over the past five years, has dramatically changed the landscape of the IT department. People are thrilled with ability to scale on demand, consume new applications in record time, and provide the CFO with a cost per employee per month. All this has companies jumping over themselves to get into the cloud.
This unfortunately is also the big issue. As companies race to get rid of their costly datacenters and remove the software maintenance headache, security often gets overlooked. Microsoft, Amazon and others in this space do an excellent job of providing their security accreditations, which is great in an audit. [Refer to article 123 on https://yourcloudproviderhere …]. However, these accreditations do not cater for what happens when privileged accounts are compromised due to poor security planning.
One of the key points here is the lines of which team manages security are being blurred by this need/want to use cloud services. If your organization was in the early steps of a merger, the security team would be all over it driven by management. This should also be the case when your organization has decided to merge internal services with those provided by a cloud services partner.
So, if you are starting, or have even migrated your data to the cloud, take time to reflect on your own security practices to ensure you don’t fall fowl to a security breach, or worse.
For more information read the Dark Reading article titled, Security Pros Agree: Cloud Adoption Outpaces Security. A good place to start with Microsoft docs on the topic is Azure Security Best Practices and Office 365 Security Best Practices.