Meltdown and Spectre Vulnerabilities

Meltdown and Spectre Vulnerabilities

New York, NY – We at Adept Technologies have already updated all of our server systems at our datacenters and offices for the Meltdown and Spectre Vulnerabilities. We have already sent out updates to our “on-premise” software systems that support the fixes being released by OEM vendors.

For our “off-premise” solutions over the last ten years we at Adept Technologies have invested large sums of money in having our own hardware and datacenter spaces. We do not use Amazon, Google, Microsoft Azure or any other 3rd party “cloud” service providers and we never will. We do not use VMware or any other Hypervisor based technology. Unlike other technology companies that leverage these services to reduce their costs with your data, we are not like them, and you are safe with us.

We have added information based on outside sources on what is Meltdown and Spectre Vulnerabilities, it is listed below.

Adept Technologies Datacenters

What are Meltdown and Spectre?

Three critical vulnerabilities were recently identified by independent teams of security researchers. The three vulnerabilities, collectively dubbed Meltdown and Spectre, impact all Intel CPUs built in the last 10 or so years – which is quite a significant number of devices. These two vulnerabilities enable a malicious user LAN application to read the protected kernel memory of other processes (Meltdown) and applications (Spectre). This could include things like passwords, personal documents, and credit card data.

Who is affected by this?

Almost everyone, especially Cloud Server providers. Meltdown exclusively impacts Intel processors. So, if you have an Intel CPU you’re impacted. Spectre on the other hand impacts Intel, AMD, and ARM processors. Combined, the list of vulnerable devices includes PCs, Macs, Android and iOS devices, and smart devices – all of which run a potential vulnerable CPU.

How are they exploited?

Exploitation occurs through the execution of malicious untrusted applications. Proof of concept JavaScript code has been released for Linux. This means that all a victim has to do is visit a website that has been compromised. Spectre is a more difficult vulnerability to exploit, and to this point no proof of concept code has been seen in the wild.

What do they do?

The vulnerabilities enable an attacker that has gained access to the device to be able to defeat the barriers between the memory space of user-land (normal) processes and kernel process. This effectively enables a malicious application to read portions of kernel memory, which often contains data prior to being encrypted, processed, and sent to a socket.

How do I protect myself?

Update your software! Microsoft, Apple, Google, and other vendors have released patches to mitigate the risk Meltdown. If an update is available for your platform, install it. Intel has also announced that 90% of the CPUs released within the last 5 years will have a patch available by next week, which should mitigate the impact of Spectre.
Outside of software updates, use sound fundamental security principles when accessing the Internet. Avoid downloading an executing files from untrusted sources, and avoid visiting unknown sites.

More talent … Less technology

No one is safe from internet attacks, and A.I. defenses can’t help, Google security veteran says (https://www.cnbc.com)

Technology

A cybersecurity expert who has protected Google’s systems for 15 years said Monday no one is safe from internet attacks and software powered by artificial intelligence can’t help defend them.

Heather Adkins, director of information security and privacy and a founding member of Google’s security team, also advised consumers not to put sensitive personal information in their online communications.

“I delete all the love letters from my husband,” Adkins told several thousand people gathered for TechCrunch Disrupt 2017, a technology conference in San Francisco, after telling them “some stuff” like personal information shouldn’t be put in emails.

Network attacks “can happen to anyone … anywhere,” Adkins said during an onstage interview in which she urged startups to assume they would get hacked eventually and to prepare a response plan.

Google has said that more than 1 billion people use its Gmail program.

Adkins’ remarks came several days after the credit-monitoring firm Equifax revealed what may be the largest data breach to date.

Adkins explained that AI-powered security software is not particularly effective at stopping even 1970s-era attack methods, let alone more recent ones.

“The techniques haven’t changed. We’ve known about these kinds of attacks for a long time,” Adkins told the crowd, pointing to a 1972 research paper by James Anderson.

While AI is very good for launching cyberattacks, it’s not necessarily any better than non-AI systems for defense — because it produces too many false positives.

“AI is good at spotting anomalous behavior, but it will also spot 99 other things that people need to go in and check” out, only to discover it wasn’t an attack, says Adkins.

The problem in applying AI to security is that machine learning requires feedback “to learn what is good and bad … but we’re not sure what good and bad is,” especially when malicious programs mask their true nature, she said.

When asked what advice she would give to businesses to keep their networks safe, Adkins advised “more talent … less technology.”

“Pay some junior engineers and have them do nothing but patch,” she said.

…….Continue reading at https://www.cnbc.com

My Two Cents: I agree to disagree. The future reality is AI is here to stay and expand. Talented humans are needed to maintain, and help design the AI systems. The expansion of the Internet is alarming, and my thoughts right now are out on if this is a good thing or a bad thing. Back in the 1990s I thought it was a good thing when I lead the development of placing mechanical systems on the internet as a way of tracking and increasing productivity. I now believe this was wrong, based on the security risks that have exploded. AI is needed, we just do not have enough talented humans for the tasks at hand….

Facebook security boss says its corporate network is run “like a college campus”

Facebook security boss says its corporate network is run like a college campus (http://www.zdnet.com)

Technology

In July of 2017, Alex Stamos Facebook’s Security Chief told employees in a conference call that the company isn’t doing enough to respond to growing cyber threats: in fact, with Facebook’s “move fast” mantra, the vault that stores the keys to a billion lives is (deliberately) run like a college campus, but has the threat profile of a defense contractor, he said.

The threats that we are facing have increased significantly, and the quality of the adversaries that we are facing. Both technically and from a cultural perspective, I don’t feel like we have caught up with our responsibility.

The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost.

We have made intentional decisions to give access to data and systems to engineers to make them ‘move fast,’ but that creates other issues for us.

The comments were part of an internal talk to employees during which he discussed the challenges Facebook had with keeping its networks secure, amid a growing danger of state-sponsored actors and advanced persistent threats, which in some cases have near-limitless resources.

For his part, Stamos, when reached, said that he had used the “college campus” line several times internally to describe challenges that the company faces, and used it as a figure of speech.

“My team runs network security for the company, and of course we secure it thoroughly,” he said Thursday.

Stamos denied that the comments were a criticism of the company’s management. “They care a great deal,” he said. “It’s not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network.”

…….Continue reading at http://www.zdnet.com

My Two Cents: I would locate the Facebook employee or contractor that tapped this phone call that leaked this information to zdnet. Cyber Security teams are facing very tough challenges. The bad guys can be wrong multiple times, the Cyber Security teams cannot be wrong once… but we can all learn from our mistakes. I am sure the next conference call will be secure.

North Korea Escalating Cyber-Attacks

North Korea Escalating Cyber-Attacks With Little Fear of Retaliation (http://www.eweek.com)

Technology

Online attackers from North Korea reportedly stole confidential military documents, including war contingency plans drawn up by U.S. and South Korean forces. Without any downside, such attacks will continue, security experts say.

The data, part of a massive haul of 235 gigabytes taken during an intrusion spanning the months of August and September 2016, was only recently identified as the South Korean government pieced together what was taken.

Lee Cheol-hee, a South Korean lawmaker and member of the parliamentary defense committee, said that attackers had infiltrated the Defense Integrated Data Center, according to The Washington Post. The stolen data includes war plans and a scheme to assassinate North Korean dictator Kim Jong-un in the event of war, according to the South Korean lawmaker. The attack happened last year, but only 20 percent of the documents have so far been identified.

…….Continue reading at www.eweek.com

My Two Cents: I read that the documentation stolen was located in a network not connected to the internet. That a so called maintenance port was accessed with a laptop that acted as a go between the North Koreans and the South Korean systems. I am shocked that such a high classified network did not alert the South Koreans that a unknown device had attached itself to their system and was accessing data. But of course spies have access if they are already in the inside and are authorized access. I would review all the authorized user access records and locate the spies within the organization…. but then again don’t believe what you read…

Big Data Needs Bigger Security

Big Data Needs Bigger Security (http://www.usnews.com)

Technology

The Equifax breech shows why data companies must be held accountable.
The age of big data is here, along with a growing list of big data breaches and the big mess created for millions of affected consumers. The only thing missing is big consequences for companies that are causing these big losses. Last week, Equifax lost highly confidential personal and financial data on as many as 143 million people. The worst part? You didn’t even give them permission to obtain this information. They can legally collect, store and share it regardless. Although banks have a self-serving track record of their own (Wells Fargo, anyone?) at least as a client, you have a direct relationship that permits you to use the law to hold them accountable……Continue reading at www.usnews.com

My Two Cents: After reading this I would have to agree. If corporations are going to store highly confidential personal and financial data and they lose this data based on hacking which means this data was exposed to the internet, then this company would be responsible. What bothers me about Equifax is the time it took to notify everyone, and I mean everyone’s personal information in the USA has been exposed. This is huge. Sadly security software systems do exist that would have secured this data, but these Big Companies appear to not care to invest in these systems.