March 28, 2019
Credential Stuffing: Why Password Reuse is not a Good Idea
What do you call what’s worse than (a) BEAST?
The biggest cyber security news for 2018 has surfaced and so much has been said about the Meltdown and Spectre vulnerabilities already.
The most complete non-technical article I’ve read about this yet is available here
Like the BEAST (SSL) vulnerability, these flaws have widespread applicability and provide the adversary with tremendous opportunity to breach information confidentiality. The similarities stop there though. Unlike BEAST – which impacts software (browsers) – Meltdown and Spectre impact the processor, which is a critical computing component and this in turn affects all operating systems. Suffice it to say that this is much bigger than BEAST in my opinion.
To recap, on affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges. This conflicts with the concept of memory isolation – a core computer operating system security feature. As a result of this vulnerability, an adversary can use a malicious program to access the memory space allotted to any other computer program. Scary, isn’t it?
Spectre, on the other hand, involves inducting an unsuspecting user to speculatively perform operations that would not occur during correct program and which leak the victim’s confidential information via a side channel to the adversary.
From a technical standpoint, the two white papers referenced above contain pretty much everything anyone needs to know about these flaws and how they can be exploited. For enterprise defenders and IT departments, however, here are some of the most important things to bear in mind:
Amazon has come out to state that less than 10% of its Elastic Compute Cloud (EC2) platform is vulnerable, but warned that customers still need to fulfill their own portion of shared responsibility for full protection to be assured.
This is not a vulnerability to be trivialized. The fact that Microsoft and Google went ahead to make public pronouncements outside of their monthly cycles underscores the importance of paying close attention to remediation and how this evolves in the coming week.
With everything said though, it still isn’t time to hit the panic button. Although emergency patches have been released, it is more important to first understand your attack surface within and outside your perimeter, and develop an effective remedial action plan instead of hurriedly applying patches.
The latter only gives you a false sense of security.