Latest News & Comment
Comment: 2018/01/16 - Media roundup.
It's been a busy few days....
Comment: 2018/01/08 - Domestic Travel Advice 2018 Edition, Issue 1.
- FBI Director, Christopher Wray deems unbreakable encryption as an "urgent public safety issue".
- And in opposition to the previous story, Microsoft launches "Private Conversations" in Skype that uses the Signal Protocol.
- AdultSwine malware discovered on Google Play store displaying pornographic adverts in games designed for kids.
- The CIA concludes the Russian military were behind the "NotPetya" cyberattack in the Ukraine.
- New, extremely sophisticated Android Spyware tool.
It would be sod's law that as soon as we published the most recent version of Domestic Travel Advice, the 2018 edition would rock up with very significant changes to the content and layout.
We hope to make it available on the website by the end of the month.
Comment: 2018/01/04 - Spectre and Meltdown CPU flaws.
In the increasing war for GHz, it transpires that Intel, AMD, ARM and probably every other CPU manufacturer in the world have being playing loose and free with the security of the host OS for the last ten to twenty years.
The major IT vendors have known about this for a wee while now, and were attempting to co-ordinate updates and rumour has it, that it was supposed to be disclosed next week. It appears that The Register broke rank, and published the news early.
The flaw, which has been categorised into three different CVEs, are present because of the way that processors optimize performance. The original research paper for Spectre is here and for Meltdown, here.
The first advice from NCSC was laughable. That said, Iíve seen grown adults who pass themselves off as security professionals struggle to understand the implications of the flaw, with various knee jerk reactions highlighting the performance hit for patched systems. The situation is no-doubt compounded by the mainstream press coverage.
The initial advice from CERT highlighted that these vulnerabilities are unlikely to be entirely patchable.
NCSC eventually produced better advice with links to statements of fact from the various vendors. As an example of the BS surrounding this, The Register analysis of the Intel statement is worth a read.
It would be easy to laugh this off and put your head in the sand, but this is a fundamental flaw in the way that certain microprocessor architectures have been designed. Is it a co-incidence that Intelís CEO Brian Krzanich dumped a load of stock making about $25 million US in the month before the disclosure? Certainly it appears that Intel will be subject to an investigation.
Back in the real world, where do we stand? Having done considerable research, all the vulnerabilities still require a foothold on a compromised machine. Good "cyber-hygiene" will continue to prevent bad things happening.
In terms of performance:-
- Spectre: CVE-2017-5753 (Variant 1 - Boundary check bypass) and CVE-2017-5715 (Variant 2 - Branch target injection). Intel, AMD and ARM processers are vulnerable, but an exploit requires a significant knowledge of the target environment. A complete fix is unlikely as it requires CPUs to be re-engineered.
- Meltdown: CVE-2017-5754 (Variant 3 - Rogue data cache load). Seemingly only Intel CPUs are vulnerable although ARM have submitted patches for this particular vulnerability. This is easy to exploit, but easy to fix Ė with a question over a resulting performance impact.
A good list of manufacturers and their patch status.
Update: 2018/01/06 - Here comes the class action lawsuits.
- Desktop file and print is unlikely to have much of a performance hit. I/O will have a performance hit, but it wonít be massively noticeable.
- Enterprise applications, on the other hand, do have a significantly degraded performance. Given the nature of these systems, it could be a risk based decision as to whether to patch these systems at all. If a database server is at the bottom of a software stack, it is a reasonable position that the performance takes precedence.
- There are major concerns regarding systems running as a virtual host, or the virtual machines themselves. Anecdotal evidence suggests the main cloud providers are experiencing a not insignificant performance hit, although thereís been little public voicing of this from their customers. Scalability has a benefit!
Comment: 2018/01/03 - Website update.
Very observant readers will notice that we have subtly changed the website. There are not many content changes: Just a few things updated, old stuff removed and Domestic Travel Advice now has itís own permanent page here under Products and Services. Because of the wide-ranging nature of the update, there may be a few glitches, but we'll get them ironed out as we find them.
Comment: 2018/01/01 - Happy New Year!
Once again, as the clock ticked past midnight, BladeSec IA Services became another year older as we celebrated our sixth birthday. Who'd have thought that so many of our clients share our views on how information assurance consultancy should be done!
As usual: That means it's time for our tongue in cheek look at the last twelve months:-
Click here for older News & Comment.
- Miles to closest job: 40.6 miles.
- Miles to farthest regular job: 187 miles.
- Largest number of miles covered in a single job: 2434 miles (at no cost to the customer - we even expect to rack up another 1156 miles before January has gone.)
- Number of products sold: Nil.
- Number of different BladeSec IA services sold: 3.
- Amount of money received for anything other than consultancy: £nil.
- Number of customers assisted in the last twelve months: 5.
- Number of individual projects worked on: 12.
- New customers: 3.
- Number of tenders submitted: 3.
- Most interesting place visited: Unfortunately this year, we're not allowed to say!
- Value of donations made by BladeSec IA to support good causes: £310.
- Amount of time donated by BladeSec IA staff pro-bono: 13 days.
- Number of redundant BlackBerry phones in the "spare handsets box": 5.
- Number of pages printed on the office colour laser this year: 3570.
- Number of pages printed since the supply level went to Very Low: 1141.