Information Technology

A team of academics has disclosed today a new attack method that can extract data from Intel CPUs.

Named Platypus, an acronym for “Power Leakage Attacks: Targeting Your Protected User Secrets,” the attack targets the RAPL interface of Intel processors.
RAPL, which stands for Running Average Power Limit, is a component that allows firmware or software applications to monitor power consumption in the CPU and DRAM.
RAPL, which effectively lets firmware and software apps read how much electrical power a CPU is pulling in to perform its tasks, is a system that has been used for years to track and debug application and hardware performance.
Researcher steal encryption keys via Intel RAPL
In a research paper published today, academics from the Graz University of Technology, the University of Birmingham, and the CISPA Helmholtz Center for Information Security have revealed how a Platypus attack can be used to determine what data is being processed inside a CPU by looking at values reported via the RAPL interface.
“Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values,” researchers said.
These “loaded values” refer to data loaded in the CPU. These can be encryption keys, passwords, sensitive documents, or any other type of information.

Accessing this kind of data is normally protected by a slew of security systems, such as kernel address space layout randomization (KASLR) or hardware-isolated trusted execution environments (TEEs), like Intel SGX.
However, researchers say that Platypus allows an attacker to bypass all these security systems by looking at variations in power consumption values.
In tests, researchers said they bypassed KASLR by observing RAPL power consumption values for only 20 seconds, and then they retrieved data from the Linux kernel. In another test, they also retrieved data that was being processed inside Intel SGX secure enclaves.
A Platypus attack that retrieved RSA private keys from an SGX enclave required the attacker to monitor RAPL data for 100 minutes, while an attack that retrieved AES-NI encryption keys from an SGX enclave and from the Linux kernel memory space took 26 hours.
Linux more vulnerable than the rest
According to the research team, Platypus attacks work on Linux systems the best. This is because the Linux kernel ships with the powercap framework, a universal driver for interacting with RAPL interfaces and other power capping APIs, allowing easy reads of power consumption values.
Attacks on Windows and macOS are also possible, but in these cases, the Intel Power Gadget app must be installed on the attacked devices to allow the attackers to interact with the RAPL interface.
Platypus attacks aimed at Intel SGX enclaves work regardless of the underlying OS as the attackers are going after the (separate) SGX enclave and not the underlying OS and its (separate) CPU memory.
[embedded content]
[embedded content]
A first of its kind remote attack
The Platypus attack, named so after the platypus animal’s ability to sense electrical current with its bill, is a first of its kind attack.
While other research teams have managed to observe CPU power read-outs by connecting oscilloscopes to a CPU, Platypus attacks can be carried out remotely.
For example, the attack’s code can be packed inside malicious apps (malware) that are installed or planted on a targeted device. This allows the attack to carry out without a threat actor needing physical access to the attacked system.
Platypus also differs from PlunderVolt, another attack against the power voltage interface of Intel CPUs. However, the two attacks are different, Moritz Lipp, one of the researchers who worked on both Platypus and PlunderVolt, told ZDNet.
The difference is that PlunderVolt is an active attack that modifies power values, while Platypus is a passive attack that infers data just by looking at the power consumption data.
Patches available starting today
Researchers say that Platypus works against Intel server, desktop, and laptop CPUs. Intel has also confirmed that some mobile and embedded CPUs are also impacted.
The chipmaker has released today microcode (CPU firmware) updates to block Platypus attacks, which the company has made available to industry partners to include in their products’ next security updates.
The Linux kernel has also shipped an update. The update restricts access to the RAPL interface only to apps with elevated privileges, making attacks harder to pull off from inside low-level apps.
Updates for the Platypus attacks will contain references for CVE-2020-8694 (Linux+Intel), CVE-2020-8695 (Intel), and CVE-2020-12912 (Linux+AMD), the three identifiers for the issues exploited during a Platypus attack.
No need to panic
But amidst an onslaught of recent Intel CPU bugs, there is no need to panic. Intel also said that it was not aware of any attacks exploiting this bug in the wild, outside the academic research field.
Most of the CPUs affected by the Platypus attack are recent CPU models that are still supported by both Intel and device makers, which will most likely distribute Intel’s microcode updates to users in future updates.
A list of affected CPUs is available in Intel’s security advisory here.
Other CPU makers likely impacted as well
Besides Intel, almost all other chipmakers also include a RAPL interface with their products. The research team says that these products are also likely impacted; however, they have not tested all devices available on the market today due to prohibitive research time and budget costs.
“We already ran some experiments on AMD where we observed leakage through the energy consumption as well (it’s in the Appendix of the paper),” Lipp told ZDNet. For its part, AMD has also released microcode updates as well.
“We [also] discussed ARM-based devices as well but did not had the time to thoroughly evaluate them.”
Other processor vendors that shipped RAPL-like power capping systems included NVIDIA, Marvell, and Ampere.
Additional details about the Platypus attack, including a research paper [PDF], are available on a dedicated website.
Update: Article updated with AMD CVE, which became public after this article’s publication. More

The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organisations open to cyber attacks via vulnerabilities they’re not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.
The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities which can arise when building connected things.
One of the key recommendations is that cybersecurity expertise should be further integrated into all layers of organisations, including engineering, management, marketing and others so anyone involved in any part of the supply chain has the ability to identify potential risks – hopefully spotting and addressing them at an early stage of the product development cycle and preventing them from becoming a major issue.
It’s also recommended that ‘Security by Design’ is adopted at every stage of the IoT development process, focusing on careful planning and risk management to ensure that any potential security issues with devices are caught early.
“Early decisions made during the design phase usually have impactful implications on later stages, especially during maintenance,” said the report.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Another recommendation that organisations throughout the product development and deployment cycle should forge better relationships in order to address security loopholes which may arise when there’s no communication between those involved.

These include errors in design due to lack of visibility in the supply chain of components – something which can happen when there’s misunderstandings or lack of coordination between parts manufacturers and the IoT vendor.
However, not all responsibility should rely with IoT manufacturers, the paper also recommends that customers and end-user organisations need to play a role in supply chain implementation and can “benefit greatly from dedicating resources to studying the current landscape and adapting the existing best practices to their particular case”.
“Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT,” said Juhan Lepassaar, executive director or ENISA.
READ MORE ON CYBERSECURITY More

Critical privilege escalation vulnerabilities have been patched in the popular WordPress plugin Ultimate Member.

Accounting for over 100,000 active installations on websites that use the WordPress content management system (CMS), Ultimate Member allows webmasters to offer membership, sign-ups, and member profile functionality. 
According to a report published on Monday by the Wordfence security team, the plugin contained three vulnerabilities that could be used in privilege escalation attacks, allowing threat actors to escalate their account rights to administrator levels and potentially hijack entire websites. 
The bugs were found in version 2.1.11 and below of the plugin. CVE IDs are pending for each security flaw. 
The first bug — assigned a CVSS score of 10.0, the highest possible — was found in the user registration form process of the plugin, as a lack of checks on some user-input data allowed attackers to submit arbitrary user meta keys during the registration process. 
See also: WordPress plugin vulnerability can be exploited for total website takeover
These keys would then update database information, including the parameters used to define a user’s role — and privileges. 

“This meant that an attacker simply needed to supply wp_capabilities[administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities field with the administrator role,” Wordfence says. 
The second vulnerability discovered by the security team, also granted a CVSS score of 10.0, was found in the same function. A lack of filtering could lead to attackers “supplying [themselves] a role parameter,” Wordfence explained, and while default WordPress roles were blocked, this could be circumvented by supplying custom Ultimate Member roles instead. 
When registering a role parameter, attackers could assign themselves high privilege roles, and if wp-admin access is enabled for a particular user or role, then the third and final bug comes into play. 
Wordfence discovered another bug, assigned a CVSS severity score of 9.9, which was caused by verification failures on profile updates. 
Ultimate Member allows for the creation of new roles and also permits site administrators to assign secondary roles for users. Therefore, a user could have default rights on signup, but could then be assigned a secondary role that gives them additional privileges. 
CNET: Zoom agrees to implement more security for video calls under FTC settlement
The function that facilitates extra role assignments, profile_update leans on other functions that do not perform the right checks, and so an attacker could supply a post field to assign themselves a high-privilege role. 
“This meant that any user with wp-admin access to the profile.php page, whether explicitly allowed or via another vulnerability used to gain that access, could supply the parameter um-role with a value set to any role including ‘administrator’ during a profile update and effectively escalate their privileges to those of that role,” Wordfence says. 
Wordfence discovered the trio of vulnerabilities between October 19 and 23, 2020. By October 26, the developer had been reached and confirmed the existence of the security issues. 
TechRepublic: How to securely donate old Windows 10 PCs
On October 26, the developer provided the Wordfence team a patched copy of the software for analysis but the security issues still existed. It took a further four days for a working patch to be developed and rolled out. 
A security fix was released in version 2.1.12 of Ultimate Member. At the time of writing, over 80% of users have upgraded and are now protected against exploitation of the privilege escalation vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

If you’re not happy with tech giants owning and controlling your data and online habits, Sir Tim Berners-Lee’s startup, Inrupt, could provide the answer. 
Berners-Lee, who’s credited with creating the web while working at CERN, has announced the first enterprise-ready version of Inrupt’s Enterprise Solid Server, an open-source program that aims to embody the World Wide Web Consortium’s (WC3) Ethical Web Principles. 

More on privacy

Inrupt wants to steer the web in a new direction, away from its control by a few tech and social-media giants. The company proposes to do this via ‘pods’ – comparable to a personal USB stick for the web – which aren’t locked in to a single platform and give users the controls to access and use their data. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
Inrupt was launched by Berners-Lee and fellow co-founder and CEO John Bruce to back the Solid open-source project, which provides users with the controls to give them a choice about where their data is stored and how apps access that data. The project’s goals are lofty but so was the web when Berners-Lee sketched out his ideas for it in 1989.  
“The web should empower an equitable, informed and interconnected society. It has been, and should continue to be, designed to enable communication and knowledge-sharing for everyone. In the 30 years since development of the web began, it has become clear that the web platform can often be used in ways that subvert that mission,” the Ethical Web Principles state.
Bruce co-founded Resilient Systems, an incident-response platform that IBM acquired in 2016. Resilient integrated with IBM’s security information and event management (SIEM) system, QRadar. Inrupt has also attracted fellow Resilient co-founder, Bruce Schneier, a well-known encryption expert who is now Inrupt’s chief of security architecture.     

Solid has a few high-profile early adopters, including the BBC, NatWest Bank, and the UK’s National Health Service (NHS) that help explain how Solid pods can be used to solve real problems, improve privacy for individuals and help with business transformation using the web in a different way.
In the case of NHS, the problem Solid can solve is how to manage personal data stores. Currently, patients can’t easily access their complete personal health record and can’t control who has access to that data. Nor can they share their data with people who matter and have no way of adding data to that store from, say a smart watch. 
According to Berners-Lee, big tech and the way it’s used private data have not only led to problems for end users via massive data breaches but have also spurred legislators to create burdensome privacy regulations, such as Europe’s General Data Protection Regulation and the California Privacy Act.   
“The web was always meant to be a platform for creativity, collaboration, and free invention – but that’s not what we are seeing today,” said Berners-Lee. 
SEE: These software bugs are years old. But businesses still aren’t patching them
He argues that business transformation is being hampered because the various parts of an individual’s life are being managed by different silos.
“But the users and teams can’t get the insight from connecting that data. Meanwhile, that data is exploited by the silo in question, leading to increasing, very reasonable, public skepticism about how personal data is being misused. That in turn has led to increasingly complex data regulations,” he said.
Regulations across the world that attempt to emulate GDPR could help Inrupt move from a fringe project to a more mainstream success.  More

Singapore is considering the need for various personal information, such as password and biometrics, to facilitate “non-face-to-face” verification for financial services. This comes amidst a rise in impersonation scam cases and risks of personal data theft. 
In a consultation paper released Tuesday, the Monetary Authority of Singapore (MAS) mooted the mandatory use of at least one of a several types of information to verify individuals tapping an offsite financial service channel, such as phone or online banking, before processing any transaction or request. 
These include information only the individual knows such as password or PIN, or only the individual has such as one-time password generated by a hardware token issued to the individual or software token activated on the individual’s mobile device. Information used for verification also can include the individual’s biometric data such as face or fingerprint recognition or information that is known only between the individual and the financial institution such as account transaction information. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

MAS also proposed that financial institutions be barred from using commonly used personal information such as NRIC number, residential address, and date of birth as the only means of identity verification. 
Such requirements were necessary amidst the increasing impersonation scam cases and to address growing risks from theft and misuse of personal data. 
MAS’ chief cybersecurity officer Tan Yeow Seng said: “Personal information such as NRIC number and date of birth are often provided by members of public for various purposes, such as filling in an application form. This information, if fallen into the wrong hands, can be used for impersonation fraud. 
“Financial institutions already have in place these identity verification practices. The proposed Notice [outlined in the consultation paper] will further bolster consumer confidence in financial institutions by making these identity verification practices compulsory during non-face-to-face financial transactions,” Tan said. “Consumers should also play their part by not disclosing their online banking login credentials such as account username, PIN number, and one-time password.”

The industry regulator said it was seeking feedback on the proposed requirements, which should be submitted before December 9. 
In a separate statement Tuesday, MAS also urged the need for financial institutions to review their security controls as remote work and other safe management measures, implemented due to the COVID-19 pandemic, could give way to added technology-related risks.
It recommended a list of added controls these organisations should consider adopting, such as reviewing whether their current risk profiles had changed and remained acceptable and if they had adequate risk mitigating measures. They also should step up oversight of third-party vendors and their controls, monitoring and securing remote access by third-parties to their systems. 
In addition, MAS recommended that financial institutions strengthened the governance of the use of open source software, which vulnerabilities typically were targeted and exploited by threat actors. These organisations should establish policies and procedures on the use of open source software and ensure software codes were reviewed and tested before deployment.
MAS’ managing director Ravi Menon said: “As the [pandemic] prolongs, [financial institutions’] resilience will come under greater stress as cyber attackers look for new vulnerabilities. Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats.”
The industry regulator in August last year implemented new legislation aimed at enhancing the cybersecurity posture of financial organisations, outlining mandatory requirements with which these businesses would have to comply by August 2020. The Notice on Cyber Hygiene outlined steps these businesses must take to mitigate the growing risk of cyber threats, including complying with six main requirements such as implementing robust security for IT systems, ensuring updates were applied “in a timely manner” to address system security flaws, and deploying security devices to restrict unauthorised network traffic. 
it also would be mandatory for these companies to implement measures to mitigate risks of malware infection, secure the use of system accounts that have special privileges, and beef up user authentication for critical systems, including systems used to access customer data. 
RELATED COVERAGE More

Image: Google // Composition: ZDNet
Google will deploy a new security feature in Chrome next year to prevent tab-nabbing, a type of web attack that allows newly opened tabs to hijack the original tab from where they were opened.
The new feature is scheduled to go live with Chrome 88, to be released in January 2021.
While the term “tab-nabbing” refers to a broad class of tab hijacking attacks [see OWASP, Wikipedia], Google is addressing a particular scenario.
This scenario refers to situations when users click on a link, and the link opens in a new tab (via the “target=_blank” attribute).
These new tabs have access to the original page that opened the new link. Via the JavaScript “window.opener” function, the newly opened tabs can modify the original page and redirect users to malicious sites.

Image: OWASP
This type of attack has powered quite a few phishing campaigns across the years. To mitigate this threat, browser makers like Apple, Google, and Mozilla have created the rel=”noopener” attribute.
For the past few years, security researchers and top web developers have constantly advocated that website owners add the rel=”noopener” to all the links where they also used the “target=_blank” attribute as a way to block tab-nabbing attacks [1, 2].

However, most of today’s websites end up abandoned, or website owners don’t have the time to keep up with the latest trends in web development and web security.
That is why, in 2018, both Apple and Mozilla moved to incorporate the rel=”noopener” attribute and automatically add it to all newly opened tabs inside Safari and Firefox by default.
With Chrome 88, Google will be catching up with the two other major browser makers. Besides adding this feature in Chrome, the new tab-nabbing protection will also go be added to all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave. More

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published on Monday by security firm Kaspersky.
Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth (Guildama) operation.
Distribution was never carried out via the official Play Store.
Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.
These apps mimicked official apps and brands, with names such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. If users were careless enough to install the apps despite all the warnings shown on their devices, the malicious apps would request access to the Accessibility service as a final step in the infection process.
If this was granted, the apps would search the infected phone for a list of 153 apps for which it would show fake login pages in an attempt to steal the user’s credentials.

Most of the targeted apps were for Brazilian banks, but in recently updated versions, Kaspersky said Ghimob also expanded its capabilities to start targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).
Furthermore, Ghimob also added an update to target cryptocurrency exchange apps in attempts to gain access to cryptocurrency accounts, with Ghimob following a general trend in the Android malware scene that has slowly shifted to target cryptocurrency owners.
After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim’s account and initiate illegal transactions.
If accounts were protected by hardened security measures, the Ghimob gang used its full control over the device (via the Accessibility service) to respond to any security probes and prompts shown on the attacked smartphone.
Ghimob’s features aren’t unique, but actually copy the make-up of other Android banking trojans, such as BlackRock or Alien.
Kaspersky noted that Ghimob’s development currently echoes a global trend in the Brazilian malware market, with the very active local malware gangs slowly expanding to target victims in countries abroad. More

Tasmania has risen to first place in Australia in terms of ease to do business in the Cisco Australian Digital Readiness Index 2020 report, and when combined with its lack of coal use and reliance on hydro, the state jumped from near the bottom of the Australian states ranking to be firmly mid-table.
The Apple Isle gained its increase on the back of having the highest five-year business survival rate in the country, being rated as the state with the highest level of government support for small businesses and having the second-highest rate of confidence among small to medium-sized businesses. The state was also boosted for having 99.9% of its premises able to receive an NBN connection.
On the flip side, Tasmania had the second-lowest per capita level of business investment in research and development.
Overall, the postage stamp-sized ACT was rated the most digitally ready place in Australia, followed by New South Wales, Western Australia, Tasmania, Queensland, South Australia, and the Northern Territory.
As the home of the Commonwealth public service, the sheep paddock cum national capital scored well for having a trained labour force, high government expenditure per capita on R&D, and being able to cater for basic needs. It dropped down the ranking, however, in categories such as startup environment and ease of doing business.
Leading the way in venture capital investment was NSW, which had almost double that of the now second-placed ACT. Despite this, the state was ranked only sixth for technology adoption and seventh for technology infrastructure.
The report, which was based on surveys completed in June 2020, was an update on a report first completed in 2018.

Vice president of Cisco ANZ Ken Boal said the first report was a chance to encourage businesses and governments to increase digital investments.
“Two years later the value of those investments have been repaid many times over and has provided Australia with a robust and comprehensive digital capability that has been essential for navigating through the COVID-19 crisis and building economic recovery post-pandemic,” he said.
“However, it is important that we don’t become complacent with Australia’s digital readiness. This report highlights the need for accelerating new investment to improve Australia’s global competitiveness to keep up with competitor nations and bridge the divide between states and territories to build societal resilience.
“Digitally advanced countries such as Singapore, which ranked first in the global index this year, should help Australia to set the ambition for its digital readiness.”
Earlier in the week, the Australian government released submissions to its proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020, which would expand the obligations in the Security of Critical Infrastructure Act 2018 to the communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.
The tech giants, including Cisco, asked that definitions and classifications be clarified, particularly around terms such as data and cloud computing.
“We, and I think we weren’t the only ones, we made a comment about whether data centres should be an industry in itself — because obviously every business that could be caught by the [Bill] is probably operating a data centre or has data in a data centre or relies on a data centre to access its critical applications,” Cisco ANZ director of government affairs Tim Fawcett told journalists on Tuesday.
“So we made the point that that shouldn’t necessarily be an industry in and of itself.”
Late last month, Cisco announced an update to its SecureX set of products that involved the company pointing out for the first time in 13 years it had reduced the number of product names on its security portfolio by half.
“I think we at Cisco have done a lot of things right over the years and then there’s a few things … that we could probably do better,” Cisco senior vice president and general manager for security Jeetu Patel told ZDNet.
“We found in security that our products were getting to be so convoluted to understand on what they did and what they were that there were just far too many things, and for a new person coming in, it just would make your head hurt.”
Patel added that Cisco has bundled products together in a more logical way and given products names that are descriptive.
“So that people don’t have to say ‘Well what is that?’ and let’s make sure that we do without acronyms, and just talk about names that are very descriptive,” he said.
Related Coverage More