Tuesday, March 10, 2015

The week in tech news

Monday seemed to be "the day" for big technology and security news. Several big stories broke yesterday, so rather than dive deep into a topic this week, I am going to summarize what you need to know: Rowhammer, FREAK, IOS 8.2, Apple Watch, and [added Tuesday] Microsoft's massive Patch Tuesday.

Rowhammer

As electronics shrink, components are placed ever closer together. Technology can shrink components, but the fundamental properties of physics don't change. Electricity in motion creates a magnetic field, which can affect conductive materials nearby. If you are old enough to remember life before cable, you may remember old televisions with rabbit ear antennae receiving over-the-air analog TV stations ... anytime someone turned on the blender or mixer, the TV picture scrambled. Rowhammer is the same concept on a microscopic scale. 

Several years ago (2012, if not earlier), researchers at Carnegie Mellon University demonstrated that by rapidly changing the value in specific parts of computer memory, they could affect a third bit of memory without actually touching it. Imagine hammering a nail into a table, while loose blocks of wood sit on the same table. If you hammer hard enough, the loose pieces are bound to move around. Similarly, "hammering" on specific rows of memory can change data in adjacent memory. For years it was thought to be a reliability problem, not a security problem: at worst, under unusual conditions a piece of memory might become corrupted and have to be corrected. 

Until now. Mark Seaborn and Thomas Dullien took on the challenge of forcing memory to "corrupt" in a predictable way, a way they could exploit to gain some sort of benefit. They succeeded in a big way. With their research, published yesterday, they are able to exploit this condition to gain kernel-level access (i.e. complete control) to a computer. 

Rowhammer has been a known problem for several years, and computer manufacturers have come up with a variety of ways to limit this type of attack. Some measures are already common, while others may require a software update. Keep an eye out for information from your computer's manufacturer over the next few weeks - more than likely there will be software and BIOS updates for PCs vulnerable to this.

Apple Watch

For months, there has been speculation that Apple would make make an "iWatch" to go along with its other mobile devices. In recent weeks, it was all but assumed they would make a watch - the only questions were what would its features be, and what would it cost. Apple answered both questions yesterday ... well, they answered the second at least. Aside from a few basic features (you can customize the time display, and sync it to your iPhone to see notifications and SMS messages on your wrist), there's not a compelling reason for buying one. But it can be yours for a mere $17,000.

Pricing ranges from $349 for the basic model, to $17,000 for the "Apple Watch Edition" with its 18-karat gold case and sapphire face (and 18 hour battery life). I know there is a market for 5-figure fashion accessories and timepieces that can be handed down from generation to generation. I'm not that market, but it does exist. $17,000 for a timepiece that lasts less than a day on a charge and will be obsolete when the "Apple Watch 2.0" is released in a year though is beyond absurd, so forgive my cynicism.

IOS 8.2

The Apple Watch spawned a barrage of "oohs" and "aahs" along with an equal amount of ridicule. The Watch though overshadowed a far more useful release, an update to the IOS software that runs on all iPhones, iPods, and iPads. IOS 8.2 adds support for the forthcoming Apple Watch, but also fixes a great number of bugs. Among the bugs fixed are one that caused calendar events to show GMT instead of local time (great if you live in London, not so great elsewhere), as well as several Bluetooth and WiFi flaws. Ars Technica has a solid rundown on the fixes. IOS 8.2 also fixes the so-called "FREAK" bug.

FREAK SSL/TLS bug

[This was first disclosed early last week, but over the weekend microsoft announced that Windows too was affected] In the early 1990's, the US government considered strong encryption to be a national security concern, and so defined weaker "export grade" encryption that could legally be used in products sold to those outside the US. That law has long since gone by the wayside, but it left behind some lingering effects. A surprising number of products can be instructed to abandon current standards and fall back on older export-grade encryption. Products such as web browsers and web servers, in which you might expect a secure website to protect your conversation or purchase transaction.

Export-grade did not mean "broken." It merely meant weaker, as in weak enough that the NSA could in a reasonable amount of time crack it if they chose. Of course, modern cloud computing means a determined attacker could "rent" more computing capacity for a few hundred dollars than the NSA had available in the 90's. In fact, the researchers that brought this to light spent a mere $104 for some Amazon EC2 compute time, and in under 8 hours cracked a variety of encryption keys.

Now for the "don't panic" moment. You as an individual are probably not worth the time and money an attacker would spend to crack an SSL session between you and your bank or shopping site. Even if you were, an attacker still has to somehow insert themselves between you and your bank or shopping site. That's not impossible to do - in fact if you use a public WiFi service (in a coffee shop, in a hotel, at an airport...), whomever runs that WiFi service is between you and your websites already - keep that in mind before doing any online banking over a WiFi hotspot you don't control. But the sky is not falling. Install updates from your device or operating system manufacturer and go about your merry way.


Microsoft Patch Tuesday (added Tuesday afternoon)

Microsoft released a boatload of patches today. Among the most serious:

  • MS05-018, MS05-019, MS15-020, and MS15-021 fix flaws in Internet Explorer and in Windows that could be exploited by a malicious website to make your PC do the attacker's bidding. 
  • MS15-031 - fixes the "FREAK" SSL flaw.

If you follow my normal recommendations for consumers, your PC is set up to automatically install these patches tonight. If it does not reboot automatically, be sure to reboot as soon as possible tomorrow. Enterprise followers have some testing ahead of them.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen