Researchers break Intel SGX by creating $30 device to control CPU voltage

Researchers at the University of Birmingham have managed to break Intel SGX, a set of security functions used by Intel processors, by creating a $30 device to control CPU voltage.

break Intel SGX

Break Intel SGX

The work follows a 2019 project, in which an international team of researchers demonstrated how to break Intel’s security guarantees using software undervolting. This attack, called Plundervolt, used undervolting to induce faults and recover secrets from Intel’s secure enclaves.

Intel fixed this vulnerability in late 2019 by removing the ability to undervolt from software with microcode and BIOS updates.

Taking advantage of a separate voltage regulator chip

But now, a team in the University’s School of Computer Science has created a $30 device, called VoltPillager, to control the CPU’s voltage – thus side-stepping Intel’s fix. The attack requires physical access to the computer hardware – which is a relevant threat for SGX enclaves that are often assumed to protect against a malicious cloud operator.

The bill of materials for building VoltPillager is:

  • Teensy 4.0 Development Board: $22
  • Bus Driver/ Buffer * 2: $1
  • SOT IC Adapter * 2: $13 for 6

break Intel SGX

How to build Voltpillager Board

This research takes advantage of the fact that there is a separate voltage regulator chip to control the CPU voltage. VoltPillager connects to this unprotected interface and precisely controls the voltage. The research show that this hardware undervolting can achieve the same (and more) as Plundervolt.

Zitai Chen, a PhD student in Computer Security at the University of Birmingham, says: “This weakness allows an attacker, if they have control of the hardware, to breach SGX security. Perhaps it might now be time to rethink the threat model of SGX. Can it really protect against malicious insiders or cloud providers?”

Most UK businesses using Oracle E-Business Suite are running old systems

The majority of UK businesses using Oracle E-Business Suite (EBS) are running on old versions of the business critical ERP system, according to a Claremont study.

Oracle E-Business Suite

Of the 154 IT professionals polled, 64% revealed they are running on an earlier version that the current R12.2. With Oracle cutting off premier support to EBS 12.1 in December 2021, this leaves these businesses facing potential legislative and security issues if they fail to upgrade prior to the deadline.

58% of the businesses polled claimed they did intend on making the upgrade to R12.2.

“Businesses intent on upgrading to EBS R12.2 face a race against the clock in order to get it done in time. There is now just 14 months until the deadline, and while that may seem like a long time, given that the survey indicates almost two-thirds of businesses are currently looking to upgrade, there is likely to be resource scarcity in the marketplace. With upgrades taking 6-12 months to complete, vendor selections to be made and business cases to be raised, now is the time to act,” said Mark Vivian, CEO at Claremont.

The study also revealed that the majority of EBS users are currently hosting EBS on physical servers. 69% said they were still using physical servers, compared to just 31% hosting EBS on a cloud platform. 60% of businesses claimed they had no intention of migrating to the cloud, while 26% said they were planning a migration, and just 14% said their migration was underway.

The survey also revealed the reasons why those businesses using cloud platforms to host EBS had chosen their cloud provider. 53% of businesses cited price as the main reason they had chosen their cloud provider, while 40% cited greater agility and flexibility, and just 36% cited better support from the cloud vendor.

Mark Vivian added: “It’s surprising to see that so many businesses are still running Oracle E-Business on physical servers. Moving to cloud infrastructure means a shift towards greater agility, crucial for organisations to survive and thrive in response to the accelerating pace of change in today’s marketplace.”

Data protection predictions for 2021

2020 presented us with many surprises, but the world of data privacy somewhat bucked the trend. Many industry verticals suffered losses, uncertainty and closures, but the protection of individuals and their information continued to truck on.

data protection 2021

After many websites simply blocked access unless you accepted their cookies (now deemed unlawful), we received clarity on cookies from the European Data Protection Board (EDPB). With the ending of Privacy Shield, we witnessed the cessation of a legal basis for cross border data transfers.

Severe fines levied for General Data Protection Regulation (GDPR) non-compliance showed organizations that the regulation is far from toothless and that data protection authorities are not easing up just because there is an ongoing global pandemic.

What can we expect in 2021? Undoubtedly, the number of data privacy cases brought before the courts will continue to rise. That’s not necessarily a bad thing: with each case comes additional clarity and precedent on many different areas of the regulation that, to date, is open to interpretation and conjecture.

Last time I spoke to the UK Information Commissioner’s Office regarding a technicality surrounding data subject access requests (DSARs) submitted by a representative, I was told that I was far from the only person enquiring about it, and this only illustrates some of the ambiguities faced by those responsible for implementing and maintaining compliance.

Of course, this is just the GDPR. There are many other data privacy legislative frameworks to consider. We fully expect 2021 to bring full and complete alignment of the ePrivacy Regulations with GDPR, and eradicate the conflict that exists today, particularly around consent, soft opt-in, etc., where the GDPR is very clear but the current Privacy and Electronic Communication Regulation (PECR) not quite so much.

These are just inside Europe but across the globe we’re seeing continued development of data localization laws, which organizations are mandated to adhere to. In the US, the California Consumer Privacy Act (CCPA) has kickstarted a swathe of data privacy reforms within many states, with many calls for something similar at the federal level.

The following year(s) will see that build and, much like with the GDPR, precedent-setting cases are needed to provide more clarity regarding the rules. Will Americans look to replace the shattered Privacy Shield framework, or will they adopt Standard Contractual Clauses (SCCs) more widely? SCCs are a very strong legal basis, providing the clauses are updated to align with the GDPR (something else we’d expect to see in 2021), and I suspect the US will take this road as the realization of the importance of trade with the EU grows.

Other noteworthy movements in data protection laws are happening in Russia with amendments to the Federal Law on Personal Data, which is taking a closer look at TLS as a protective measure, and in the Philippines, where the Personal Data Protection Act 2021 (PDPA) is being replaced by a new bill (currently a work in progress, but it’s coming).

One of the biggest events of 2021 will be the UK leaving the EU. The British implementation of the GDPR comes in the form of the UK Data Protection Bill 2018. Aside from a few deregulations, it’s the GDPR and that’s great… as far as it goes. Having strong local data privacy laws is good, but after enjoying 47 years (at the time of writing) of free movement within the Union, how will being outside of the EU impact British business?

It is thought and hoped that the UK will be granted an adequacy decision fairly swiftly, given that historically local UK laws aligned with those inside the Union, but there is no guarantee. The uncertainty around how data transfers will look in future might result in the British industry using more SCCs. The currently low priority plans to make Binding Corporate Rules (BCR) easier and more affordable will come sharply to the fore as the demand for them goes up.

One thing is certain, it’s going to be a fascinating year for data privacy and we are excited to see clearer definitions, increased certification, precedent-setting case law and whatever else unfolds as we continue to navigate a journey of governance, compliance and security.

Consumers don’t entirely trust smart home tech

Smart home tech is marketed to enhance your home and make life easier. However, UK consumers are not convinced that they can trust the privacy and security of these technologies.

trust smart home tech

To better understand consumers perceptions of the desirability of the smart home, researchers from WMG and Computer Science, University of Warwick have carried out a nationally representative survey of UK consumers designed to measure adoption and acceptability, focusing on awareness, ownership, experience, trust, satisfaction and intention to use.

The businesses proposal of added meaning and value when adopting the smart home have not yet achieved closure from consumers, as they have highlighted concern for risks to privacy and security.

Researchers sent 2101 participants a survey, with questions to assess:

  • Awareness of the Internet of Things (IoT)
  • Current ownership of smart home devices
  • Experiences of their use of smart home devices
  • Trust in the reliability and competence of the devices
  • Trust in privacy and security
  • Satisfaction and intention to use the devices in the future, and intention to recommend it to others.

The findings suggest consumers had anxiety about the likelihood of a security incident, as overall people tend to mildly agree that they are likely to risk privacy as well as security breach when using smart home devices, in other words they are unconvinced that their privacy and security will not be at risk when they use smart home devices.

It also emerged that when asked to evaluate the impact of a privacy breach people tend to disagree that its impact will be low, suggesting they expect the impact of a privacy breach to be significant. This emerges as a prominent factor influencing whether or not they would adopt smart home technology, furthermore making it less likely.

Other interesting results:

  • More females than males have adopted smart home devices over the last year, possibly as they tend to run the house and find the technology helpful
  • Young people ages 18-24) were the earliest adopters of smart home technology, however older people (ages 65+) also adopted it early, possibly as they have more disposable income and less responsibilities – e.g. no mortgage, no dependent children
  • People aged 65 and over are less willing to use smart home devices in case of unauthorised data collection compared to younger people, indicating younger people are less aware of privacy breaches
  • Less well-educated people are the least interested in using smart home devices in the future, and that these might constitute market segments that will be lost to smart home adoption, unless their concerns are specifically addressed and targeted by policymakers and businesses.

“Our study underlines how businesses and policymakers will need to work together to act on the sociotechnical affordances of smart home technology in order to increase consumers’ trust. This intervention is necessary if barriers to adoption and acceptability of the smart home are to be addressed now and in the future. Proof of cybersecurity and low risk to privacy breaches will be key in smart home technology companies persuading a number of consumers to invest in their technology,” said Dr Sara Cannizzaro from WMG.

4 in 10 organizations punish staff for cybersecurity errors

New research has found that 42% of organizations are taking disciplinary action against staff who make cybersecurity errors. To examine the prevalence of punishment in businesses and the impact of this on staff, a team of researchers led by Dr John Blythe, Head of Behavioral Science at CybSafe, conducted a survey of cybersecurity awareness professionals as well as an experimental lab study, designed to mimic real-world outcomes when employees click simulated phishing emails. The survey … More

The post 4 in 10 organizations punish staff for cybersecurity errors appeared first on Help Net Security.

IoT security: In 2020, action needs to match awareness

As the power of IoT devices increases, security has failed to follow suit. This is a direct result of the drive to the bottom for price of network enabling all devices.

IoT security 2020

But small steps can greatly increase the overall security of IoT.

A better IoT security story has to be one of the most urgent priorities in all of technology. That’s because IoT is one of the industry’s most compelling opportunities and squandering it due to security challenges would be a massive blunder – especially since those challenges are surmountable.

There’s a good reason IoT has become an ever-present buzzword: it has the potential to change many aspects of life and is brimming with opportunities for exciting innovation. This is especially true on the industrial side, where the technology is fueling advances in digital factories, power management, supply-chain optimization, the connected car, and robotics.

Indeed, many companies are moving beyond piloting and prototyping IoT projects to real-world applications. Many are incorporating machine learning and other artificial intelligence (AI) technologies to gain insights from the colossal amounts of data all these sensors and other devices produce.

Yet lack of security continues to threaten the progress of this game-changing technology.

Various research has shown that security is the number one concern for enterprise IoT customers and that they would move faster on IoT programs if their concerns were allayed.

More than three years have passed since the IoT security threat crashed into public view with the massive denial-of-service attack on a major DNS provider which caused outages of some of the web’s most popular sites. The attack was instigated by a botnet of around 145,000 IoT devices – mostly webcams and DVRs – compromised by Mirai malware. In the intervening years, IoT botnets have grown in size and so has the number of attacks fueled by them. But IoT has other troubling security issues, as demonstrated by the rash of IoT locks with glaring security holes in the past year.

The incident should have served as a rallying point for concerted industry action to address IoT security, but little progress has been made.

What’s taking so long?

A primary IoT selling point – the advent of inexpensive sensors and devices – is also a thorn in IoT security’s side. Many manufacturers are pumping out these things without properly securing them for the internet. Many companies, simply looking for the cheapest deals to keep IoT project costs down, buy them without amply considering their security readiness.

Too many devices are being shipped to customers with no password or a standard, hard-coded default password that can easily be discovered and exploited. (The start of the now 400,000 strong Mirai BotNet was a single list of 60 usernames and passwords.)

Beyond passwords, many devices simply are not designed with security in mind at both the software and hardware levels. For example, configuration bit streams should be encrypted and protected, but often aren’t.

Another issue is a lack of software updates. When an attack or vulnerability is discovered, updates are not always rolled out in a timely manner – and sometimes not at all.

While IoT security guidelines exist – for example, the Secure By Design code issued by the U.K. in 2018 – they’re seldom enforced. Contrast that with the payment card industry (PCI), which polices itself with rigid security standards and levies penalties on member companies that fail to follow them.

The IoT segment needs to get serious

Awareness of the IoT security issue has reached government awareness. In the U.S., a Senate bill introduced in 2019 and similar legislation in the House would require the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take steps to increase the security of IoT devices.

In California, a law took effect on Jan. 1, 2020 requiring that all connected devices sold in the state have “a reasonable security feature or features” and banning shared default passwords.

While this government action is a positive sign, industry typically moves faster than government and IoT manufacturers themselves should take greater responsibility for improved security.

A good start might be an IoT security equivalent to the Energy Star certification for energy efficiency of appliances, electronics, HVAC systems, etc. Energy Star is actually a U.S.-government-backed program, but IoT is moving so fast that I think the industry could get this done faster than waiting for the public sector.

It is up to the industry to once and for all deal with the security challenge or face the prospect that IoT will never achieve its enormous promise and all of us will be paying the price for years from vulnerable devices in the field.

EasyJet data breach: 9 million customers affected

British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.

EasyJet data breach

The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.

How did the attackers manage to breach EasyJet?

EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.

They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.

Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.

“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.

“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”

Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:

It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.

Advice for affected customers

“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.

“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.

Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.

“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.

“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”

The UK National Cyber Security Centre (NCSC) has advised affected customers to:

  • Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
  • Change their password on their EasyJet accounts (and other accounts that have the same password)
  • Check if their account has appeared in any other public data breaches, and to
  • Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.

Criminals boost their schemes with COVID-19 themed phishing templates

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to.

“Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials,” Proofpoint researchers have noted.

The COVID-19 themed phishing templates

Cybercriminals have eagerly embraced the opportunities brought on by the COVID-19 pandemic. One of those is the fact that many governments and non-governmental organizations are offering crucial information about the virus and/or financial assistance.

The crooks have put in a lot of effort into creating convincing phishing page templates to impersonate these organizations and make it easier to quickly set up new pages once current ones get blacklisted.

Most of the templates aren’t exact copies of the impersonated websites, but they do copy their look and feel – and that’s often enough to fool many targets.

For example: the multi-layered template that spoofs the legitimate Canadian government website starts with a page that asks users to chose whether they want to continue using the site in English or French (the country’s two official languages), and then offers the credential phishing pages in the chosen language.

COVID-19 themed phishing

Another template that impersonates the US Internal Revenue Service (IRS) first tells the potential victim they are eligible for financial aid as part of the COVID-19 relief program and then leads them to the page asking for their personal information.

Similar schemes are used to impersonate Her Majesty’s Revenue and Customs (HMRC) in the United Kingdom, the French government, the World Health Organization (WHO), the US Centers for Disease Control (CDC), and so on.

COVID-19 themed phishing

The crooks are exploiting people’s anxiety and despair to steal login credentials for a variety of online accounts – Gmail, Office 365, Outlook, etc. – as well as sensitive information such as names, addresses, social security/insurance numbers, payment card information, and so on.

So far, ProofPoint researchers have seen more than 300 different COVID-19 campaigns this year and, as the COVID-19 situation continues to unfold, they expect these kinds of attacks to continue and threat actors to offer additional tools that can make those attacks easier to carry out.

Most IT leaders believe remote workers are a security risk

57 percent of UK IT decision makers still believe that remote workers are a security risk, and that they will expose their organization to the threat of a data breach, according to a survey by Apricorn.

remote workers security risk

This figure has inclined steadily from 44 percent in 2018 and 50 percent in 2019. The rise could reflect a corresponding increase in the number of remote workers, or an enhanced awareness of the risks of doing so as the UK’s workforce began to follow government guidelines to work from home.

In 2019, 47 percent admitted that their remote workers had already knowingly put corporate data at risk of a breach in the last year; this has now dropped slightly to 44 percent.

Remote workers security risk: Apathy still a major problem

Apathy continues to be a major problem, with 34 percent of IT leaders saying their remote workers simply don’t care about security – exactly the same percentage as last year – which suggests organizations are struggling to get employees to buy into the security strategy.

“This year, the need for organizations to facilitate effective and secure remote working has been cast into the spotlight to an extent no-one could have anticipated,” said Jon Fielding, Managing Director EMEA, Apricorn.

“Our survey shows that while progress has been made in some key areas since 2019, some of the same risks – such as employee apathy or error – remain a problem. In these currently challenging times, when UK workers are being urged to work from home, it’s all the more important that security is a priority for everyone.”

The importance of endpoint control

Organizations have increasingly recognized the importance of endpoint control as remote working has become more prevalent. Nearly all (96 percent) mitigate the risks of BYOD (bring your own device) with a security strategy that covers employees’ use of their own IT equipment out of the office. Of those, 42 percent only allow the use of devices that have been provisioned or approved by IT, and enforce this with strict security measures. This is a significant rise on 2019, when just over 1 in 10 (11 percent) did so.

“Strengthening endpoint controls allows organizations to trust in the integrity of their data and systems wherever the employee is accessing them, and whatever device they’re using. The fact that businesses are recognizing and enforcing this is a positive step,” comments Fielding.

This change is crucial given that lost or misplaced devices is now the second biggest cause of a data breach – cited by almost a quarter of respondents (24 percent), up from 17 percent a year ago. Employees unintentionally putting data at risk remains the leading cause (33 percent), with third parties mishandling corporate information cited as one of the main causes by 23 percent.

Mobile working and GDPR compliance

Despite this, 87 percent of UK IT decision makers agree that their organizations’ remote workers are aware of cybersecurity risks and practices, and follow required policies at all times.

Remote working is not a new concept, but with so many employees now having had a taste for home working, it might be hard for businesses to put that particular lid back on – so they need to figure out where their vulnerabilities lie now, and address them,” adds Fielding.

When it comes to the challenges of implementing a cybersecurity plan for remote working, almost a fifth of IT decision makers (19 per cent) say managing all the technology employees need is the biggest problem, a drop from 30 percent in 2019, which suggests that organizations are getting a handle on the complexity involved in the technology aspect.

In addition, fewer IT leaders believe that difficulties with GDPR compliance is the biggest problem with mobile working: 16 percent agreed, compared with 20 percent in 2019, suggesting that this aspect may have been less of a challenge than they originally anticipated.

One in five SMBs use no endpoint security at all

An alarming number of SMBs (small to medium businesses) in the US and UK are not prepared for a potential cyber attack or breach, BullGuard warns.

SMBs breach prepared

One-third of companies with 50 or fewer employees report using free, consumer-grade cybersecurity, and one in five companies use no endpoint security whatsoever.

SMBs are not prepared for a breach

Additionally, worrisome, the BullGuard study found 43% of SMB owners have no cybersecurity defense plan in place at all – leaving their most sensitive financial, customer and business data, and ultimately their companies, at significant risk.

“Small businesses are not immune to cyber attacks and data breaches, and are often targeted specifically because they often fail to prioritize security,” said Paul Lipman, CEO of BullGuard.

“Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”

SMB owners overly confident in the safety of their company and customer data

The study also revealed some glaring discrepancies between what SMB owners believe versus what is actually occurring in the market. Nearly 60% of SMB owners believe their business is unlikely to be targeted by cyber criminals, however the results revealed that 18.5% of SMB owners have suffered from a cyber attack or data breach within the past year.

Unfortunately, while securing data can be simple, remediation is not. Companies that fall victim to a cyber attack often experience significant downtime that seriously impacts productivity, data privacy, and even revenue.

Once breached, 25% of SMB owners stated they had to spend $10,000 or more to resolve the attack, which could be devastating for a small company. As for time lost, 50% of SMB owners said it took 24 hours or longer to recover from a breach or cyber attack, while 25% reported they lost business as a result, and almost 40% stated they lost crucial data.

Despite these numbers, many SMB owners are overly confident in the safety of their company and customer data. One in five SMB owners surveyed stated their organization has zero vulnerabilities, however 50% of SMB owners stated their employees do not receive any cybersecurity training.

A significant number, 65%, of SMB owners report managing their cybersecurity in-house, but less than 10% say they have a dedicated IT staff member. The right solution makes it simple and extremely cost-effective for SMBs to manage their own cybersecurity, ensuring their business is secure and protected.