Monthly Archives: January 2018

• Walmart, Kroger and Amazon are exploring ways consumers can shop without interacting with a cashier.
  
• Walmart is expanding its “Scan & Go” technology to an additional 100 locations across the U.S. this year.
  
• Kroger’s “Scan, Bag, Go” platform will roll out to 400 stores in 2018.

Walmart is expanding its “Scan & Go” technology to an additional 100 locations across the U.S., the retailer announced Tuesday, playing into a growing trend of companies giving consumers the option to shop their stores without interacting with a cashier.

Others working to perfect their own digital shopping scanners include grocery giant Kroger and internet behemoth Amazon, which has been piloting a store without checkout lines, called Amazon Go, near its Seattle headquarters.

Kroger’s recently introduced platform, known as “Scan, Bag, Go,” will roll out to 400 of the grocery chain’s stores later this year. That will put the company ahead of Walmart, which anticipates having its “Scan & Go” service at fewer than 200 stores by the end of 2018.

With “Scan, Bag, Go,” shoppers simply scan bar codes on items they will be purchasing, either with a handheld scanner or via Kroger’s smartphone app, as they walk throughout the store.

Self-checkout kiosks will await customers at the end of their shopping, where valid coupons have been tallied and a final total is instantly calculated. Eventually, shoppers should be able to bypass those kiosks altogether and pay directly through the app, Kroger has told Business Insider.

The process at Walmart looks similar: Using an app, customers will scan items (even produce) on their own as they walk through the store. They will be able to pay on their phones when they’re finished. A Mobile Express lane will also be situated at the front of Walmart’s stores for those shoppers to walk through, for security purposes, before they leave.

Source: Walmart

Walmart’s scan and go technology.

The impetus behind these efforts is the idea that many consumers today want a speedy, seamless experience, especially when shopping for grocery items.

While some shoppers are getting comfortable with ordering groceries online, a majority of Americans are still reluctant to do so. Although grocery stores are still vital to many communities, those locations often lack technology upgrades. 2018 could be a year to change that — or at least start.

Grocers are under pressure, in an already thin-margin business, to cut costs and make the shopping experience more enjoyable for customers. The front of those stores merits a refresh, where long lines can be slashed and resources can be employed elsewhere.

As the cashier ranks dwindle, displaced employees can work other areas of the store, focusing on certain merchandise categories or assisting customers.

For now, Amazon Go is still only open to the company’s employees in Seattle. But Kroger and Walmart are opening the floodgates for this new technology at hundreds of stores in 2018.

Via:  cnbc

• Walmart abruptly announced plans to close 63 of its Sam’s Club locations across the country.
  
• The wholesale club location closings span from Alaska to Puerto Rico.
  
• Some of the shuttered stores will be converted into e-commerce fulfillment facilities.

Walmart abruptly announced Thursday plans to close more than 60 of its Sam’s Club locations, or nearly 10 percent of its store fleet, across the country.

The wholesale club locations closing span from Alaska to Puerto Rico. Some of the shuttered stores will be converted into e-commerce fulfillment facilities, the company said.

The news came on the same day the big-box retailer announced it would be boosting its starting wage for hourly employees and handing out bonuses, among other benefits, after the passage of new tax legislation.

As local media outlets began to report on the store closures, though, disgruntled shoppers took to sites like Twitter and Facebook to learn what was going on. Many customers were seen asking for refunds on memberships, which cost $45 annually, and others were concerned about where they would pick up prescriptions.

Late in the day Thursday, Sam’s Club CEO John Furner wrote in a companywide email:

“Transforming our business means managing our real estate portfolio — we need a strong fleet of clubs that are fit for the future. After a thorough review, it became clear we had built clubs in some locations that impacted other clubs, and where population had not grown as anticipated. We’ve decided to right-size our fleet and better align our locations with our strategy. … We will work to place as many associates as possible in new roles at nearby locations, and we’ll provide them with support, resources, and severance pay to those eligible.”

Walmart said it would book a charge of 14 cents per share related to the closures, which would show up mainly in its fourth-quarter results. The company said it would share more details when it reports earnings on Feb. 20.

Walmart “is taking prudent steps to prepare for the next generation of retail warfare, one in which speed will be king and delivery will be judged by hours and not days,” Cowen and Co. analyst Oliver Chen wrote in a note to clients Friday morning.

“We believe Sam’s Club leadership will continue to execute against other initiatives … as management noted that while results have improved over the last several quarters, the retailer can do better as Sam’s Club has under-performed club peers,” Chen said. Those competitors include Costco, BJ’s Wholesale Club and Boxed.

Moving forward, many analysts anticipate Sam’s Club will focus on growing its e-commerce business, amassing a higher-quality grocery selection, marketing its private labels and finding new members.

Furner has said the brand is looking to tap into households with annual income between $75,000 to $125,000.

Here is a list of the stores being closed:

• 8801 Old Seward Hwy, Anchorage, AK
  
• 1074 N Muldoon Rd, Anchorage, AK
  
• 48 College Rd, Fairbanks, AK
  
• 3900 Grants Mill Rd, Irondale, AL
  
• 2425 E Florence Blvd, Casa Grande, AZ
  
• 5757 E State Route 69, Prescott Valley, AZ
  
• 1375 S Arizona Ave, Chandler, AZ
  
• 15255 N Northsight Blvd, Scottsdale, AZ
  
• 3360 El Camino Ave, Sacramento, CA
  
• 17835 Gale Ave, City of Industry, CA
  
• 12540 Beach Blvd, Stanton, CA
  
• 12920 Foothill Blvd, Sylmar, CA
  
• 69 Pavilions Dr, Manchester, CT
  
• 2 Boston Post Rd, Orange, CT
  
• 355 FL-436, Fern Park, FL
  
• 7233 N Seacrest Blvd, Lantana, FL
  
• 5135 S Dale Mabry Hwy, Tampa, FL
  
• 2994 Turner Hill Rd, Lithonia, GA
  
• 501 N Randall Rd, Batavia, IL
  
• 21430 S Cicero Ave, Matteson, IL
  
• 6600 44th Ave, Moline, IL
  
• 808 S Illinois Rte 59, Naperville, IL
  
• 900 S Barrington Rd, Streamwood, IL
  
• 1055 McHenry Rd, Wheeling, IL
  
• 460 S Weber Rd, Romeoville, IL
  
• 3015 W 86th St, Indianapolis, IN
  
• 10859 E Washington St, Indianapolis, IN
  
• 4024 Elkhart Rd #1, Goshen, IN
  
• 9598 Cortana Pl, Baton Rouge, LA
  
• 9750 Reisterstown Rd, Owings Mills, MD
  
• 1 Tobias Boland Way, Worcester, MA
  
• 340 E. Edgewood Boulevard, Lansing, MI
  
• 32625 Northwestern Hwy, Farmington Hills, MI
  
• 3745 Louisiana Ave S, St Louis Park, MN
  
• 2800 27th Ave S, Moorhead, MN
  
• 11 Batchelder Rd, Seabrook, NH
  
• 81 International Dr S, Budd Lake, NJ
  
• 1900 E Linden Ave, Linden, NJ
  
• 301 Nassau Park Boulevard, Princeton, NJ
  
• 2649 Erie Blvd E, Syracuse, NY
  
• 720 Fairmount Ave, Jamestown, NY
  
• 700 Elmridge Center Dr, Rochester, NY
  
• 1600 Marketplace Dr, Rochester, NY
  
• 5085 Dawn Dr, Lumberton, NC
  
• 1101 Shiloh Glenn Dr, Morrisville, NC
  
• 4825 Marburg Ave, Cincinnati, OH
  
• 9570 Fields Ertel Rd, Loveland, OH
  
• 615 Old Hickory Blvd, Nashville, TN
  
• 1805 Getwell Rd, Memphis, TN
  
• 1615 S Loop W, Houston, TX
  
• 13331 Westheimer Rd, Houston, TX
  
• 22296 Market Place Dr, New Caney, TX
  
• 12919 San Pedro Ave, San Antonio, TX
  
• 741 E Little Creek Rd, Norfolk, VA
  
• 4571 S Laburnum Ave, Richmond, VA
  
• 901 S Grady Way, Renton, WA
  
• 1101 Outlet Collection Way, Auburn, WA
  
• 13550 Aurora Ave N, Seattle, WA
  
• 7050 Watts Rd, Madison, WI
  
• 1540 S 108th St, West Allis, WI

This list does not contain three additional stores in Puerto Rico.

via:  cnbc

WhatsApp likes to brag about its end-to-end encryption, but researchers from Germany’s Ruhr University Bochum have discovered a flaw that could allow unwanted eyes to spy upon your private group chats.

In a technical research paper that explores the end-to-end security of three different secure messaging apps capable of allowing “private” group chats, researchers found the most serious shortcomings in the immensely popular WhatsApp platform.

The research paper, presented at the Real World Crypto security conference in Switzerland, describes how it would be possible for a complete stranger to add themselves to an encrypted WhatsApp group chat. Although past messages sent to the group would not be visible to the intruder, they could receive future messages.

Clearly, that’s far from good news, but avid WhatsApp users will be relieved to hear that the addition of the unauthorized party is no secret. Every member of the group receives a message saying that someone new has joined the chat, albeit apparently at the invitation of the group chat’s administrator.

Eagle-eyed members of the group, of the administrator themselves, may notice the interloper and warn the legitimate group’s members.

Furthermore, for someone to insert themselves into a group chat – they need to have first gained control over WhatsApp’s servers – something that would, one hopes, be beyond the abilities of the typical hacker but may be within the realm of a state-sponsored attacker or a regime that is able to put legal pressure on the company.

WhatsApp’s failing is possible because the platform fails to properly authenticate group invitations, the paper makes clear:

The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces, since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.

As respected cryptography expert Matthew Green explains, the attacks are difficult to pull off successfully, and “nobody needs to panic.”

Nonetheless, that doesn’t mean that the problem should be ignored. Green told Wired that “It’s just a total screw-up” and described the flaw as “eminently fixable.”

In their technical paper, the researchers recommend that group management messages are signed so they can be properly authenticated:

In order to ensure that only administrators of a group can manipulate the member set, the authenticity of group manipulation messages needs to be protected. This can be achieved, for example, by signing these messages with the administrator’s group signature key.

Even though typical WhatsApp users may not lose too much sleep about this particular attack, it may certainly be a concern for journalists and whistleblowers who might have been attracted to WhatsApp in the misguided belief that it delivered total security and privacy.

A WhatsApp spokesperson confirmed the researchers’ findings but reiterated that chat group members would be notified if new parties were added to a conversation:

We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.

That response may be technically accurate, but I think most WhatsApp users would expect a group chat’s membership to be controlled by the group’s administrator – and not something that could be manipulated by an unauthorized party.

Let’s hope that WhatsApp responds appropriately to the researchers’ findings and plugs this security hole before the threat evolves from being purely theoretical to real life.

via:  tripwire

Today’s cybersecurity executives have a lot of choices in how they wish to purchase and consume products and services.

The traditional approach of a large up-front capex investment in perpetual licenses works for some organizations, but many are looking towards managed services to reduce their up-front costs and move the overhead of managing the solution to a provider that can efficiently deliver results.

Very few security teams can boast of being fully staffed, but even so, given the propensity of security risks to multiply, those lucky few teams will soon find themselves underwater, as well.

Justifying a move to a managed service requires a realistic review of your infrastructure costs, operational support costs, staffing costs and intangible costs. You should look at those costs over at least three years. You may not own the budget for some of this, so it will require a little bit of investigation, but it is a very valuable exercise.

Here are some examples of the costs that you will want to consider:

It’s easy to forget about infrastructure costs especially if it is handled for your IT team. You’ll need to do a bit of digging here to come up with your costs, but this is an important part of the justification. Make sure that you consider growth in your calculations since environments tend to grow over time and resource requirements may change.

Now that you have calculated the cost of infrastructure, we’ll turn to the cost of managing the underlying platforms to ensure that they stay in compliance with your internal IT practices.

A realistic view of how much time you will need to spend to manage the solution is key. All security solutions require some level of care and feeding as well as an investment in sustaining application knowledge.

When you consider a managed service, that team becomes your application experts, and you can focus your efforts on responding to the information provided versus extracting the key bits for yourself. Expertise in any domain requires experience to develop; managed services teams leverage a breadth of expertise that is very difficult for most companies to acquire.

It’s important to realize that any managed service will require some time from internal resources. Typically, it is dramatically reduced (10-20% of a perpetual deployment), but any managed service that says they can deliver value without talking to you should be questioned.

It is also important to consider how many resources you would need to apply if you were to achieve maximum value from the product. A managed service can improve your ability to use more advanced features of the solution without requiring the burden of more overhead.

Finally, there is the intangible. This may not apply to everyone, but these could be very real scenarios.

Tripwire ExpertOps provides managed File Integrity and Secure Configuration from the cloud with the assurance of a team of experts delivering managed services to customers for nearly a decade.

via:  tripwire

Here’s a list of sites that for little or no cost give you plenty of ideas for where to find first-rate threat intelligence.

Organizations know they need to get serious about threat intelligence, but it’s not always clear where to find credible information. While just about every security industry vendor website offers up information on the latest threats, some are better than others. Here, we ‘ll point out the sites that are the most informative and useful.

Go through the list. You’ll find that there are many more than eight sites to choose from:

Department of Homeland Security, Automated Indicator Sharing

The Department of Homeland Security’s free Automated Indicator Sharing (AIS) website was set up for private companies to share cyber threat indicators with the federal government. Typical threat indicators available are information such as malicious IP addresses or the sender address of phishing emails. DHS aims to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator will be shared with all AIS participants. Federal officials say while AIS won’t eliminate sophisticated cyber threats, it will clear out the less sophisticated attacks, making it possible for the federal government and private companies to focus on the more pernicious targeted attacks.

FBI InfraGard Portal

The FBI’s InfraGard Portal serves as a clearinghouse for the public and private sectors to share information to protect America’s critical infrastructure. The government breaks critical infrastructure into 16 sectors ranging from the defense industrial base to manufacturing to dams. The site offers a news feed on events relevant to the 16 sectors, plus has Cyber Crimes and Cyber Fugitives links that contain information on the most recent attacks and potential threats being tracked by the FBI

National Council of Information Sharing and Analysis Centers

While the National Council of ISACs was formed in 2003, the ISAC concept was first introduced in 1998, almost 20 years ago. Today, there are 24 ISACs. Some of them, like the financial services ISAC (FS-ISAC), are expensive to join. But many of them offer low or no-cost threat intelligence. The basic idea is for each critical infrastructure sector to have its own organization that monitors and ferrets out threat information specific to that industry vertical. Most ISACs have 24×7 threat warning and incident reporting capabilities, and many also set the threat level for their sectors. Follow this link to look up the ISAC that applies to your industry.

Ransomware Tracker

Managed by @abuse.ch, Ransomware Tracker is a Swiss security site that focuses on tracking and monitoring the status of domain names, IP addresses, and URLs that are associated with ransomware. This includes botnet command-and-control servers, distribution sites, and payment sites. According to the Ransomware Tracker website, by using data provided by the site, hosting, and ISPs, as well as national CERTs, law enforcement agencies and security researchers can receive an overview on infrastructure exploited by ransomware and whether these are actively being used by bad threat actors to commit fraud. The site also offers guidelines for mitigating ransomware as well as blocklists for stopping ransomware at the network edge.

The Spamhaus Project

Founded in 1998, The Spamhaus Project is an international non-profit based in Geneva and London that tracks spam and related cyber threats such as phishing, malware, and botnets. While it is best-known for publishing DNS-based blocklists, according to its website, Spamhaus produces special data for use with Internet firewall and routing equipment, such as the Spamhaus DROP lists, botnet C&C data, and the Spamhaus Response Policy Zone data for DNS resolvers, a tool that helps prevent millions of internet users from clicking on malicious links in phishing and malware emails.

Internet Storm Center

The Internet Storm Center was founded in 2001 following the collaboration that took place in the security community following the Li0n worm. Today, the ISC gathers millions of intrusion detection log entries every day, from sensors covering more than 500,000 IP addresses in more than 50 countries. The ISC is a free service supported by the SANS Institute from tuition paid by students attending SANS security education programs. The site offers numerous links to tools, educational podcasts, forums, and a job board for security professionals.

Free anti-malware sites

The Verizon 2017 Data Breach Investigations Report found that 51 percent of data breaches analyzed involved malware. Here are links to free sites that offer analysis of the leading malware infecting networks: virustotal.com, malwr.com and VirusShare.com.

Vendor blogs

Vendors will always try to sell you product in the end, but that doesn’t mean that they don’t maintain informative blogs that serve as excellent sources to learn more about what the vendor has found about recent attacks and remedies for protecting your network. Here are some to consider: Alien Vault, Cisco Threat Research Blog, CrowdStrike Research and Threat Intel Blog, FireEye Threat Research Blog, Palo Alto Networks Unit 42, Recorded Future, and Windows Security Blog.

Malware Processing

This is pretty much what you’d imagine: collecting and activating malware to record and store the results for analysis.

This can be conducted internally by cyber-savvy organizations, but is usually performed on a much larger scale by security vendors. The resulting intelligence is used to inform everything from security protocols to the latest antivirus products.

Most importantly from our perspective, analysis of the latest malware is a direct glimpse into the mind of the attacker. Historically there have been clearly identifiable trends in malware creation and distribution, so malware processing is extremely valuable as a means of staying one step ahead.

The Good: Malware processing provides verifiable, actionable indicators of compromise (IOCs) that can be used to tighten security controls across the board. Although the approach is technically passive, requiring malware to be written and released before it can take place, it usually enables organizations to prepare for new malware before they themselves have been affected by it.

The Bad: To some extent malware processing lacks context, since it’s usually not conducted in the environments at risk of being attacked. Equally, since malware can only be analyzed after initial distribution has taken place, this approach is often more about damage minimization than total prevention.

Example: Team Cymru processes malware on a large scale, and provides a range of free and commercial products enabling users to search and splice captured metadata.

Scanning and Crawling

Unlike darknets and telemetry, scanning and crawling are a highly proactive approach to threat intelligence. They involve actively exploring the open web, scanning and cataloguing a huge range of ports and services, and providing information for analysis.

Although not a particularly popular activity among security vendors, there are a number of legitimate uses for the information gathered this way, including searching for externally identifiable vulnerabilities in your own systems.

The Good: Again, this is low cost data that can be used to tighten your organization’s security controls.

The Bad: It’s important to realize that the results of scanning and crawling exercises are data, rather than intelligence. What we’re talking about is massive quantities of raw, unprocessed data.

To process this data into intelligence, you’ll need a substantial amount of skilled manpower, making the exercise much more expensive than it initially appears.

There’s also a significant risk of information overload. The vast majority of data collected from scanning and crawling exercises will be worthless, so identifying the valuable pieces will be difficult and time consuming.

Example: Shodan, the Internet of Things (IoT) search engine, is an example of a service that crawls the open web searching for and indexing internet-enabled devices.

via:  darkreading

Businesses of all shapes and sizes are moving their networks to the cloud at an increasingly fast rate!

Cloud computing has officially taken off, and with good reason! The benefit of being able to access your network files from anywhere in the world and the promise of potentially unlimited amounts of storage have opened up a world of new possibilities for organization everywhere.

The new technology, however, has brought its own set of challenges and risks to the IT industry.

The threat of cyber-attacks is more prevalent than it has ever been, and IT security teams need to be on top of their game if they want to keep out this modern generation of hackers. At the same time, organizations are cash-strapped, and most can’t afford to train and keep experienced in-house security staff.

In-house Vs. Outsourced

Modern day companies in the UAE are faced with a simple question: Does it make sense anymore to manage our security in-house, or should we opt for a managed SOC solution?

If your company is facing a similar situation, here are the factors you need to consider in this debate.

Building your own team:

In-house operation centers ultimately suit organizations who value the confidentiality and integrity of their data over the increased expenses.

Pros:

• The biggest benefit is that you ultimately have complete control over all of your sensitive data.
• This minimizes the risk of the loss of critical data that a business may be particular about, like trade secrets or new innovations.
• The solutions being used can be modified to suit your company’s needs.
• Certain industries like nuclear or space exploration have regulations in place that make having an in-house team far more desirable.

Cons:

• The cost of hiring, training, and retaining specialist staff continues to increase as skill shortages in the industry grow. It is already a more expensive solution than outsourcing.
• It can take anywhere from 18 to 24 months to hire and set up a new team. Time is a luxury new businesses can’t afford.
• Most in-house teams won’t have the capacity or the required expertise to identify and respond to threats in real time.

Outsourcing

Outsourced security solutions are far more cost-effective and stable for small and medium sized businesses.

Pros:

• There’s no time delay. Businesses that decide to outsource instantly get the full services of an experienced, professional team of experts.
• There’s no 9 A.M – 5 P.M with managed SOCs. Your networks are monitored around the clock, 24 hours a day, 365 days a year.
• You’ll only have to pay the monthly costs which the MSSP charges. There are no additional costs of setting up and training a team.
• The identification of and response to threats is instant. 3^rd party service providers have access to technologies and techniques which an in-house team might not even be aware off.

Cons:

• Outsourcing creates a dependency on an outside party to manage your security, which can’t be carried out effectively without proper communication.
• An MSSP might employ solutions or services that are great for the general industry, but don’t suit your specific needs.
• You lose control over the ability to manage confidential and sensitive information.

Choosing what’s right for you!

When making your decision, ask yourself the following question:

• What is my current approach, and how efficiently is it working out?
• Do I have the budget to hire and retain an in-house team full time?
• How confidential is the data?

You’ll also want to consider the physical safety of your offices. A managed SOC allows you to monitor both virtual and physical networks at the same time, thanks to the advances in ELV systems like CCTV cameras and motion sensors etc.

via:  managedsecurity

Carrier announces it plans to be the first in the U.S. with 5G this year.

After years of development and hype about 5G potential, 2018 is likely going to be the year in which 5G wireless is officially deployed in the U.S And AT&T is predicting that it will be the first U.S. carrier to do so.

AT&T announced on Jan. 4 that it expects to deploy 5G in at least 12 cities across the U.S. by the end of 2018.
“5G will change the way we live, work and enjoy entertainment,” Melissa Arnoldi, president, AT&T Technology and Operations, said in a statement. “We’re moving quickly to begin deploying mobile 5G this year and start unlocking the future of connectivity for consumers and businesses.”

“With faster speeds and ultra-low latency, 5G will ultimately deliver and enhance experiences like virtual reality, future driverless cars, immersive 4K video and more,” Arnoldi added.

via:  enterprisenetworkingplanet

A data breach involving the U.S. Department of Homeland Security (DHS) might have exposed more than 240,000 current and former federal employees’ personally identifiable information (PII).

On 3 January, DHS published a statement about the security incident. In it, Chief Privacy Officer Phillip S. Kaplan reveals that the U.S. Attorney’s Office and the Department of Homeland Security’s Office of the Inspector General (OIG) discovered the breach on 10 May 2017 as part of a criminal investigation. Officials specifically found an unauthorized copy of the Department’s investigative case management system in the possession of a former DHS OIG  employee.

At the time of its discovery, that copied DHS OIG system contained the PII of two separate groups. First, it contained the names, Social Security Numbers, dates of birth, and employment information for 247,167 current and former federal government employees whom DHS directly employed in 2014. Second, it stored names, email addresses, physical addresses, Social Security Numbers, phone numbers, and other data for individuals who were involved in a DHS OIG investigation between 2002 and 2014.

Kaplan is confident that external actors weren’t responsible for the breach and that potentially affected individuals’ PII was not the main target of the incident.

The Department of Homeland Security had its reasons for waiting to send notifications to all possible victims on 18 December some seven months after discovery. As it explains in the statement:

The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.

DHS also took the time to introduce additional security measures that limit who can access the types of information exposed in the data breach and that can better monitor suspicious access patterns.

While the Department continues to work to better secure its systems, potential victims of the incident can take advantage of 18 free months of AllClear services that can help protect them against identity theft and credit card fraud. They should also consider placing a security freeze on their credit reports with TransUnion, Experian, Equifax, and Innovis.

via:   tripwire

VULNERABILITY DESCRIPTION

Meltdown and Spectre are hardware design vulnerabilities in CPUs utilizing speculative execution.

While the defect exists in the hardware, mitigations in operating systems are possible and are currently available.

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. The issues are organized into three variants:

• CVE-2017-5753, Spectre Variant 1: CPUs utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  
• CVE-2017-5715, Spectre Variant 2: Branch target injection
  
• CVE-2017-5754, Meltdown: allows attackers to read arbitrary physical memory (including kernel memory) from an unprivileged user process.

These attacks are possible due to the interaction between operating system memory management and CPU implementation optimization choices.

The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.

EXPOSURE AND IMPACT

Attacks require the ability to execute code locally on a target system. Typically, this type of attack requires a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are also possible. Multi-user and multi-tenant systems (including virtualized environments) likely face the greatest risk. Systems used to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk.

REMEDIATION & MITIGATION

Vendors are releasing patches for vulnerable systems and cloud environments like Amazon and Azure are patching the operating systems they deliver.

DETECTION

ASPL-759 shipped on January 5, 2018 contained checks for the following products:

• Microsoft Windows Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 (x64 only)
  
• Microsoft SQL Server 2016 & 2017 Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  
• RHEL Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  
• CentOS Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  
• VMware ESXi Patches/Mitigations for CVE-2017-5715, CVE-2017-5753
  
• OEL Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  
• Amazon Linux Patches/Mitigations for CVE-2017-5754
  
• Apple Mac OS Patches/Mitigations for CVE-2017-5754
  
• Google Chrome, Mozilla Firefox, Microsoft Internet Explorer related mitigation detection.
  
• Host Information indicating the values of related Microsoft Windows Server registry configuration.

REFERENCES

• https://www.kb.cert.org/vuls/id/584653
• https://www.sans.org/webcasts/downloads/106815/slides
• https://meltdownattack.com/
• https://meltdownattack.com/meltdown.pdf
• https://spectreattack.com/
• https://spectreattack.com/spectre.pdf

via:  tripwire

Hope here to present a simple, dumbed-down, step-by-step article on how to get these updates and navigate Microsoft’s overly complicated announcement.

There are four Microsoft help pages that we used to compile this information, which you may also want to read, just in case:

1) Guidance for Windows desktop users
2) Guidance for Windows Server users
3) Security advisory ADV180002  (contains KB numbers for update packages)
4) Update compatibility warning for users with third-party anti-virus software

The key and most important sentence on all these pages is:

To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.

What does this mean?

It means that if you go to the Windows Update section of your Windows operating system and you press “Check for updates,” if something comes up, you’re safe to install it.

Windows update packages (KB numbers) are available here. A different KB number will appear, depending on your operating system and hardware platform.

If nothing comes up, that means Windows has detected the presence of an incompatible anti-virus (AV) application on your system.

The whole mess with anti-virus programs

Microsoft says that during tests, it detected some anti-virus programs causing BSOD crashes that prevented computers from booting after the installation of the Meltdown and Spectre patches.

The company says it instructed anti-virus vendors to modify their products and create a registry key on customers’ computers when they’ve confirmed or updated their products so not to crash Windows PCs post-Meltdown/Spectre updates.

Microsoft says that currently, whenever users want to update Windows, its update system will check for that registry key on users’ PCs.

If the key exists, the Windows update process will believe the anti-virus software received an update to support the Meltdown and Spectre patches, and install the proper OS updates as well.

This is where things get messy. Some AV companies have said they don’t plan to create that registry key, some said they cannot “technically” create that key, while others will ship updates in the following days.

This Google Docs file contains a list of the responses from some AV companies.

In simple terms, most AV users will have to wait, as most AV companies have promised to update their products and automatically add the registry key.

The simplest way to go about this is if you can go to the Windows Update section every day and press the “Check for updates” button and you’ll receive the update after your AV product creates that registry key.

If you’re one of the unlucky souls whose AV company doesn’t plan to add that registry key, this is a .reg file Bleeping Computer put together to automatically create the following registry key for you.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\

QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

We’ll display this in red so it sticks out. Do not run the .reg file unless you’ve confirmed with your AV vendor that they’re compatible with the Meltdown andSpectre patches.

Once you’ve run the file or added the registry key manually, your PC will receive the patches for the Meltdown and Spectre vulnerabilities.

How can you check the status of the patches?

Microsoft has also released a set of Powershell one-liners that you can use to check if your PC installed the updates properly, or if you need additional firmware updates.

When starting PowerShell, make sure you start it with Admin privileges so that you can install the required modules.

The Powershell command below will download and install a Powershell module for testing for the Meltdown and Spectre flaws.

Install-Module SpeculationControl

If you run the command and get execution errors, you might need to adjust your Powershell execution policy. Run the following command:

Set-ExecutionPolicy Bypass

Now, you know can run a second Powershell command that actually checks your system:

Get-SpeculationControlSettings

Google says that not all CPUs are vulnerable to the Meltdown and Spectre flaws, but if the result will look like this, with lots of red-colored text, then you’re CPU and OS are vulnerable to these attacks. Most likely, it looks like this.

The next step is to press the “Check for updates” button until you receive a Meltdown/Spectre patch. As explained above, this might take a few days for some users with “problematic” anti-virus software.

After the updates, you’ll need to run the Get-SpeculationControlSettings again. There are two possible scenarios.

The most common scenario is the following result:

The image means that your system received patches for the Meltdown bug, but has received incomplete patches for the Spectre bug.

This was to be expected, as Google said yesterday that Spectre is harder to exploit, but also harder to patch.

What the red text means is that you need additional chipset firmware updates. Microsoft and Google say that OEMs will need to provide users with these additional firmware updates to complete the Windows OS-level Spectre patches. Depending on your computer’s age, some OEM might not make these firmware updates available, meaning you’ll be stuck with an incomplete Spectre patch.

If your laptop/desktop/server vendor has provided extra chipset firmware updates, you can get them from their official sites, install them, and complete the patch.

If everything is OK, all checks will appear in green-colored text, like so:

When the output is all green and each item is set to True, as shown above, then you are now protected from these attacks.

Once you’re done, remember to set the Powershell execution police back to a restricted mode, which may be useful in mitigating malware attacks that use Powershell to run malicious commands.

via:  bleepingcomputer